Should I Get a SOC 2 Report? Examining the ROI of SOC 2 Compliance

If you are trying to determine if your company would benefit from obtaining a SOC report, here are a few questions and answers that may help make the decision.

1) Are clients requesting a SOC report?

Many firms find that obtaining a SOC report is a cost of doing business because clients or prospects ask for SOC reporting as part of the due diligence process (you may also see requests like SSAE 16 (former standard) or SSAE 18. These terms are synonymous with SOC reporting). If clients are already asking for SOC reports the decision is easy – yes, you need one.

Insight: We have seen a measurable up-tick in the number of firms requiring a SOC report to do business. Due to the ongoing surge of cybersecurity incidents, many companies perceive third party business partners as a significant risk (out of their control). One way to measure and control these risks is by obtaining a minimum level of comfort into their business partners’ environments. SOC reporting, and other compliance reporting, is quickly becoming the de facto standard to gain that level of comfort and assurance.

2) What markets do you serve or do you plan to serve in the future?

Are these markets heavily regulated? What are the norm in these markets? Is there change on the horizon?

If you serve or plan to pursue clients or business partners in markets where technology and compliance often intersect – such as financial services, financial technology, healthcare technology, insurance, technology or data analytics – it is highly likely you will need a SOC report to do business in this space.

Insight: In a 2017 survey performed by Ernst and Young 71% of respondents reported that they rely on SOC 2 reports to assess vendors in lieu of on-site visits. When considering a SOC report, think about where your company is headed. We have seen it take clients 3 – 24 months to prepare for and obtain a SOC report. Compliance should never be a reason why you lose a prospective client – so plan ahead.

3) Do your competitors have a SOC 2 report?

When pursuing new clients it is important to understand what your competitors bring to the table. All things being equal, sometimes an extra layer of assurance in the form of a SOC 2 report is a significant competitive advantage.

If all of your competitors are presenting a SOC report to clients, but you are not, are you still competitive? If none of your competitors have a SOC report, will obtaining a SOC report help you win business?

Insight: A SOC report is not a marketing document, but when it comes to smooth onboarding, navigating legal requirements, and giving your clients a basic level of assurance – a SOC report can go a long way. Companies always want to do business with partners with whom it’s easy to do business.

4) Does your Company have other compliance objectives?

If your company has other compliance objectives (such as NIST 800-53, NIST 800-171, HIPAA, or ISO 27001), you may be able to leverage a SOC 2 report to assess and report on those standards as well. This is possible because SOC 2 defines minimum criteria, but does not define exactly how you can meet those criteria. This provides flexibility to simultaneously align to other known frameworks.

Insight: The concept is often referred to as “test once, report many,” referring to the opportunity to reduce the audit burden by mapping controls from various compliance requirements into a single Unified Control Framework. This ultimately saves time and money. We have written about that strategy here.

5) Will compliance help drive other important security or risk management objectives? 

Leadership often find it challenging to motivate employees to take security and risk management activities seriously. Changes to processes or enhanced security controls are perceived as “more work.” An annual assessment of security controls often puts security into context for employees (the auditor is coming) and provides management with visibility into how well controls are operating.

Insight: An audit firm should be a business partner and advocate – not an adversary. Use an external audit to drive the business, not hinder it. Talk to your audit partner about your goals, where you want to improve, and how to measure progression and maturity – there should always be a clear ROI and positive impact to the business!

Let’s Get Started

If you are considering a SOC 2 report please contact one of our professionals to learn more about why we are a great business partner.

Leave a Reply