Recession or not, we have resources to help your business master this moment of high interest rates, labor shortages, sticky inflation, and slower growth. We've put together our Agility & Excellence Resource Center to bring you strategies and solutions with a finger on the pulse of what's ahead.
The saying "knowledge is power" aptly applies to benchmark studies, which compare your performance against your peers. This concept is particularly relevant for assessing SOC 1 or SOC 2 reports, where knowing how you stack up against others can lead to valuable insights.
CBIZ and MHM's 2023 study, Benchmarking Your SOC Compliance Framework, serves as such a resource, helping service providers improve their SOC reports for better efficiency and customer satisfaction. This study analyzed over 150 SOC 1 and SOC 2 reports from various industries and company sizes, with key findings shared over the past few months.
Many companies focus only on the overall opinion and control exceptions in SOC reports, missing other crucial information. Our study guides you on what to look for and the questions to ask, providing a deeper understanding and analysis.
As we explore the final insights from this report, it's clear that a comprehensive review of SOC reports is necessary to see the bigger picture. This goes beyond just the basic elements, helping companies understand their position and how they can improve compliance and efficiency.
Let’s look at some of the highlights:
Number of Objectives Varies Vastly Across SOC 1 Reports
The number of control objectives in SOC 1 reports varied greatly per our analysis, ranging from as little as two to as many as 56 objectives. From an evaluation perspective, this makes it difficult to use those numbers to determine an expected average specific to any individual report. However, the average appeared to be 10. While differences in processes across service or customer types can explain some of this widespread variation, it still provides some basic considerations for companies. For example, organizations on the higher end of this spectrum may have the potential for streamlining compliance efforts through reevaluation and consolidation (basically a controls rationalization).
For organizations with fewer than four objectives, it is hard to assess the sufficiency of controls primarily because any business process controls/objectives would rely on IT General Controls (ITGC). A traditional ITGC alone would usually entail three objectives related to security, change management and computer operations. Without these, a reader is left to wonder if the business process controls solely tested may even be relied upon if the ITGC were never tested.
But remember, while reliance upon the benchmarked averages provides some perspective in this instance, it's important to consider your specific processes first and foremost.
Security Category Included in All Reports, Privacy Has Low Traction
While service providers are not obligated to include the security category in SOC 2 reports (per an American Institute of Certified Public Accountants FAQ published in November 2020), all reports examined in this study did so. We took added comfort in the fact that security was included in all SOC 2 reports, as, arguably, all your other controls may be compromised without sufficient security controls.
Outside of security being included within 100% of reports, we noted that the next most common categories were availability (71%) and confidentiality (34%). Privacy was only included in a small number of reports at 5%. The low inclusion of privacy was not surprising when one considers that the addition of privacy almost doubles the scope of most SOC 2 reports based upon the number of necessary criteria to be achieved.
When determining their own categories for coverage, service providers should take charge of selecting the categories to be included in a SOC 2 report. Self-evaluation of the categories you feel are most relevant should be presented to customers or vendors inquiring about your SOC 2 report. Leaving it up to the customer or vendor through generalized questions such as, “What do you think we should cover?” often is responded with responses of, “How about all of them?” Service organizations must take charge of the conversation and present their case on what they feel is most relevant and why they have deemed it sufficient.
When this is done, customers and vendors will be satisfied nearly every time. If service providers decide to assess security only, consulting with their service auditor regarding the potential inclusion of other categories and the associated effort is advisable.
The Non-Occurrence of a Control is Less Common Than Expected
Emphasis of matter (EOM) paragraphs are optional additions to audit reports that highlight significant matters beyond key audit matters. These paragraphs are included when the auditor deems them critical for user understanding. Mainly, service auditors will commonly utilize the EOM paragraphs to describe how the control effectiveness of specific criteria within SOC 2 may not be opined upon since a control did not operate during the period.
Of the SOC 2 reports we reviewed, only 6% included an emphasis of matter paragraph. All instances were due to non-occurrence of controls, meaning a control was inactive during the audit period. These non-occurrences were primarily linked to the absence of new hires, new customers or security incidents, which is understandable.
Interestingly, there were not more reported non-occurrences, especially regarding issues like the absence of security incidents. This suggests that further examination into the reasons behind these non-occurrences might be helpful.
Timeliness of Report Release Crucial for Public Companies
Our last area of analysis was around a statistic that many SOC readers do not even think about or consider: the issuance period. The issuance period is the time between the end of the audit period and the release of the final SOC report and is crucial, particularly for public companies. Many service auditors have internal firm goals of issuing a report within 45-60 days after period end. Per our study, the average issuance period was 82 days, slightly exceeding the typical 60-day target.
Perhaps most surprisingly, our analysis found that 21% of reports took 100 or more days to issue. In one instance, the report was not issued until 535 days after the period ended. That is almost a year and a half after the period, at which time one would have to argue whether the report may even be relied upon due to the stale nature of the data. When report issuance exceeds 60 days, we encourage SOC readers to contact the service provider and seek insights on the reasons, as it sometimes can tell a compelling story.
The likely answers will be either: (a) our service auditor was delayed, or (b) the service provider had competing priorities arise that prevented them from focusing on the closure of the report. If the latter, we would want to understand better how/why the validation of their control environment was deemed to be the lower priority.
Check out our 2023 SOC Benchmark Study to see the full results. If you need assistance conducting a SOC 1 or SOC 2 report or have questions regarding the process, connect with one of our professionals.
Copyright © 2024, CBIZ, Inc. All rights reserved. Contents of this publication may not be reproduced without the express written consent of CBIZ. This publication is distributed with the understanding that CBIZ is not rendering legal, accounting or other professional advice. The reader is advised to contact a tax professional prior to taking any action based upon this information. CBIZ assumes no liability whatsoever in connection with the use of this information and assumes no obligation to inform the reader of any changes in tax laws or other factors that could affect the information contained herein.
CBIZ MHM is the brand name for CBIZ MHM, LLC, a national professional services company providing tax, financial advisory and consulting services to individuals, tax-exempt organizations and a wide range of publicly traded and privately held companies. CBIZ MHM, LLC is a fully owned subsidiary of CBIZ, Inc. (NYSE: CBZ).