Have you had a customer ask if you have a “SOC” report they could review? Or perhaps your sales team lost potential new contracts because you didn’t have a SOC report or couldn’t answer if you were “SOC compliant”. Here are 4 tips for understanding if you need a SOC report and how to have a successful start.

1) Understand the “why”.

Talk directly with your current customers who have inquired about it. Understand why they are asking and how it impacts them. You might find out they want to increase business with you or they might be shopping at your competitors due to a lack of SOC report.

Talk with your sales team. Are contracts being lost due to a lack of SOC report? How often to customers or potential customers ask about it?

Try to financially understand the impact if you go down the SOC road.

2) Never leave your team in the dark.

Once you’ve quantified the “why”, ensure everyone from sales, IT, HR, accounting, operations and leadership are fully aware of what you’re considering. Their buy-in is critical to the success of a clean SOC report.

3) Talk to regional and smaller audit firms who specialize in SOC.

Request references from their clients who are in the same industry.

I also never recommend utilizing the Big 4 or even the larger 8-10 national firms. The higher costs of those firms will minimize the benefits of the future report.

4) This isn’t a one-time process

This will not be a one-time, stand-alone instance. Customers will want to see bridge letters and future reports which show you have continued to address their reason for asking for a SOC report past the first reporting date. Creating internal processes that are repeatable in the long-term will greatly benefit your organization.

Bonus tip

You know your business. You’re an expert at what you do. We know SOC. Let us be the support you need between your team and the auditors. Training, mock audits, organization of critical files, and direct support during the SOC attestation process. thomas@r-vmc.com