A service organization control (SOC) report is an attestation of the service organization’s internal control environment. Our observation at Protiviti is that while pre-IPO companies prioritize financial and operational details, and, to a lesser degree, IT controls, even less attention is paid to the controls of the third-party service providers they’re engaging with. Simply obtaining the reports is not enough, however. The company needs to analyze the reports carefully and understand exactly what controls are in place and what aren’t.
This article underlines the importance of SOC reporting and how it can better prepare private companies for a successful public transition in the future.