Service Organization Control (SOC) reports are designed to provide independent assurance that an organization is properly managing and mitigating risk associated with its outsourced relationships. Companies produce SOC reports to communicate to customers the internal controls in place for an outsourced service, engaging a  firm like LBMC to audit control areas that may include information technology and security and/or financial reporting.

“You can look at the SOC report from the perspective of the company that is undergoing that SOC audit or attestation, or you can look at it from the perspective of the companies that will be consuming those reports or reading those reports,” said Mark Fulford, Partner in the Risk Services division of LBMC. “It’s really a way for an organization to tell the story about what a great job they’re doing in providing services and controlling the environment as they take custody of customer data, or at least responsibility for performing some critical service for the customer,” Fulford said.

A SOC report will include information like company background, details about the services that are provided, as well as information on control objectives or risks related to the outsourced relationships. For many companies, an audit can be a chance to express worth to customers or promote trustworthiness to potential customers. In one common example, a healthcare organization that uses a cloud-based system to store sensitive medical information may leverage a SOC report to defend a high level of data security.

But customer data wasn’t always the focus of SOC reports. In the past, the audits (formerly known as SAS 70s) were primarily centered on internal controls around financial reporting. Later iterations, however, allow for more technology-specific auditing on aspects like confidentiality and privacy, information security, systems availability, and processing integrity. In the future, Fulford said, reports will evolve even further alongside the overall state of information security, as it has recently with recommendations from the American Institute of Certified Public Accountants (AICPA) to combine the audits with the Cloud Security Alliance and HITRUST CSF.

For more information about SOC reports, contact Mark Fulford directly by email at