Let's get on each others' calendars.

SOC 1:

How to Inspire Confidence and Win New Clients

Bernie Madoff executed the biggest Ponzi scheme in history over the course of 17 years.

He managed to convince his victims to hand over a total of more than a hundred billion dollars for an “investing” program. Bernie subsequently used the funds to pay back previous victims who were waiting for their money, and Mad-e-off (I’m sorry) with the rest.

Whether for good or evil, confidence plays a massive part in everything to do with your finances. You need to be certain that anyone you trust with your financial details will not put them at risk.

SOC 1 audits exist to show that your business can do just that.

SOC 1 audits are an indispensable part of doing business if your business can have access to or information about your clients' money. They provide proof to your clients that you have the audits and controls in place to handle their information without putting it at risk.

Sadly, SOC audits are also mired in a wealth of unclear information and contradictory descriptions. That’s why today we’ll be covering:

  • Are you accountable for your clients’ financial details?
  • What is a SOC 1 audit?
  • Benefits of a SOC 1 audit
  • Drawbacks of a SOC 1 audit
  • SOC 1 vs. SOC 2
  • Type I vs. Type II
  • Don’t let confusion prevent you from getting certified

Let’s dive right in.

Are you accountable for your clients’ financial data?

Photograph of a white 1950s era telephone with a rotary dialer.

My grandparents were once the victim of a cold-calling scam.

They had saved for years to be able to treat their children and grandchildren whenever they wanted, and to live in security during retirement. All of that was undone in one afternoon when someone called them up claiming to be from their bank, asking for their account information “to make sure that they were talking to the right people”.

Unfortunately, with the complexity of modern businesses, there are far more points that scammers, hackers, and general bad actors can probe for financial information.

Let’s say that you’re the CFO at a mid-sized SaaS company. You don’t have to keep your clients’ financial information and/or access secure just to enable your software to work.    

You have an ironclad obligation to keep their data secure from criminals. If your business is the point of failure that causes bank accounts to be fraudulently cleaned out, you’re liable.

Here’s where the difficult part comes in; how do you make sure that your clients’ financial data is secure?

Not only that, but how do you prove to your clients that their data is secure?

You can’t reasonably expect someone to hand over their account details without some kind of assurance that you know what you’re doing. Otherwise they’re taking a risk which, if it blows up, will result in their money vanishing.

Traditionally, a transaction or promise between two parties is observed and verified by an impartial third party. By getting someone who has no stake in the game to verify the promises made, both parties can sit safely in the knowledge that someone can back them up if something does go wrong.

That’s precisely the idea behind SOC 1 audits.

What is a SOC 1 audit?

An overhead photograph of someone working on a spreadsheet on a laptop sitting on a white desk. The person has dark painted fingernails. Also on the desk are a newspaper, a coffee mug, a plant, a calculator, a pen, a variety of written notes and notecards, a cell phone, and a clipboard containing an invoice.

A Service Organization Controls (SOC) audit and report is your third-party verification that you’re equipped to securely handle your clients’ information.

There are three different forms of SOC audit, being SOC 1, SOC 2, and SOC 3. SOC 1 and SOC 2 focus on different elements of client data handling (we’ll cover SOC 2 audits further down in this post), and SOC 3 is the same as SOC 2 except the resulting information is condensed and publicly available instead of being locked under an NDA.

For now let’s examine SOC 1.

A SOC 1 audit is performed by a Certified Public Accountant (CPA) chosen by the American Institute of Certified Public Accountants (AICPA) to assess whether the measures and other financial audits you have in place are sufficient for keeping your clients’ financial data secure.

These independent accountants perform the audit by following the framework set out by The Statement on Standards for Attestation Engagements No.18 (SSAE 18). This replaced the previous SSAE 16, which in turn replaced the SAS 70.

This double-checks your audits’ effectiveness and verifies to your clients that they can trust you with their information without having to assess your systems and processes themselves. It’s both a sign of social proof which you can show existing, new, and prospective clients, and an internal stamp of quality which you can present to your CEO to show that you’re safeguarding client data.

I know that this sounds complicated, but I’m including more technical terms than necessary to clear the air. The documentation surrounding SOC audits is full of legalese and jargon, so here’s all you need to know when someone starts talking (or asks you) about SSAE 18, SAS 70 or SOC audits.

SOC 1 audits prove to your clients that they can trust you with their financial data. They’re carried out by independent accountants who follow the SSAE 18 framework to test your safeguards and other financial audits to make sure they’re up to scratch.

Benefits of a SOC 1 audit

Okay, so you know what a SOC 1 audit is, but you’re probably not clear on why exactly you’d want to have one carried out. So let’s dive into the benefits of having a SOC 1 audit:

  • SOC 1 audits give clients confidence
  • Certain clients will require compliance
  • It’s an instantly recognizable universal standard
  • Potential profits increase

SOC 1 audits give clients confidence

Close up image of a man's hands holding a pen and a piece of paper above a stack of papers and an open laptop computer. The man is wearing a suit. In the background is another man wearing a suit.
Source, image under public domain license

SOC 1 audits are the independently assessed stamp of approval for your methods of handling customer financials. To your clients, this means that they can immediately see that someone who knows exactly what they’re doing has gone into your organization, checked it for weaknesses, and not seen anything to cause alarm.

In other words, it’s a sign that they can trust you with their sensitive financial data and the ability to alter their financials.

Certain clients will require compliance

Beyond confidence, some clients will require you to have SOC (1 or 2) compliance before committing to doing business with you. Therefore, the sooner you meet the requirements, the sooner you expand your potential client base.

It’s an instantly recognizable universal standard

Any and all companies that provide services which affect their clients’ internal controls over financial reporting (ICFR) will likely be required to have SOC compliance as standard. In other words, your clients are going to recognize it as part of a package that they require.

It’s not a case of running through several different authorities for several different clients. SOC compliance is universally accepted as a check for your ability to safely handle your clients’ financials, so it’s an indispensable mark of verification for your business.

Potential profits increase

A messy stack of small groups of $50 and $100 bills, held together with rubber bands.

SOC 1 compliance widens the net for potential clients to include those who won’t trust you with their financials otherwise. Assuming everything else is running smoothly, this means that your profits will grow purely due to widening the top of your funnel.

That’s not even mentioning the relative wealth of those clients either. After all, if you were a large company, wouldn’t you be more likely to require independent checks to make sure that your data is safe with a company?

Drawbacks of a SOC 1 audit

Now let’s cover the drawbacks of SOC 1 audits. Namely, these are:

  • SOC audits are expensive
  • Your vendors also need to be compliant
  • Your clients might not need you to have one
  • You could end up with the wrong audit

SOC audits are expensive

No matter what kind or type of SOC audit you go for, it will be expensive. Unfortunately, reports on the costs for all of these vary wildly.

For example, SSAE-16 report that SOC 1 Type I audits roughly cost anywhere from $10,000-$30,000. Justin McCarthy (Co-Founder and CTO of strongDM) states that the cost of an auditor for a SOC 2 Type I audit is similar, being roughly $12,000-$17,500.

However, in the same post McCarthy goes into great detail about the unreported costs of a SOC audit, such as the relative lost productivity and legal costs. He estimates that the final cost of their audit was closer to $147,000!

Your vendors also need to be compliant

There’s no point in you having rock-solid financial controls if the vendors you’re using to provide services that also touch client financial data are full of weaknesses. Thus, in order to pass your SOC 1 audit you need to know that your vendors have all had their own SOC 1 audit performed.

It’s not difficult - all you need to do is ask your vendors to verify that they’ve had a successful SOC 1 audit - but it’s a drawback because you can’t pass your own if your vendors haven’t. Or, rather, it’s possible to pass your own still if you’ve verified that your vendor’s control procedures match your own SOC 1-compliant measures and you’ve evaluated their risk and potential impact to your data is low.

In other words, you practically have to do a mini SOC 1 audit on your vendors yourself if they haven’t had one performed.

It’s a potential roadblock that you have absolutely no control over, unless you’re willing to change vendors as a result of their non-compliance.

Your clients might not need you to have one

Photo of an office without a person in it. In the office is a white desk, white desk chair and wall-mounted heater. On the desk is a tablet, a desktop computer with monitor display, a keyboard, a mouse and two speakers. The office walls have windows from about waist height-up on two walls, Through the windows one can see a river and a cityscape beyond. Could be Boston, Philadelphia, or another similar city.
Source, image used under public domain license

There are two possibilities with this drawback; either your client could be misinformed and doesn’t actually require you to be SOC 1 or 2 compliant, or they could be using the lack of it as a smokescreen.

Being misinformed is simple enough, as in this case the clients you’re hoping to bring in based on your SOC 1 audit report could be converted without it. The key should instead be communicating with them and educating them on why you don’t need one.

Otherwise, there’s always the chance that your clients don’t need you to be SOC verified, but are using it as an excuse to not commit to a purchase they don’t want to make.

This is harder to prove (these clients won’t want to admit to it) and there’s nothing you can do to change it (these potential clients are already lost), but it’s worth remembering. Not all of the clients who say they’ll buy if you get an audit will actually commit to the purchase, so the projected benefit of doing so must account for this before you make your decision.

You could end up with the wrong audit

At first this might sound ridiculous - how could an independent, certified accountant produce the wrong audit, leaving you more vulnerable to data breaches and more legally responsible for said breaches?

That’s the thing, they don’t.

The documentation surrounding SOC audits is so convoluted, confusing, and vague that it’s difficult to know if you need one at all, let alone whether you need to be SOC 1 or SOC 2 compliant.

Combine the chance of not just you, but your clients being confused about which type of audit you need, and you have a minefield of options. For example, a core client could require you to have a SOC 1 audit, but get their nomenclature mixed up and instead request a SOC 2 audit certification.

Even if you and your clients get everything right and fully understand what is needed, different clients may require different audits. In short, it’s a field full of uncertainty and confusion.

So let’s clear up some of the mist.

SOC 1 vs. SOC 2

Image of a woman sitting at a desk taking notes in a notebook while also looking at a laptop computer screen. She wears a pink ribbon on her button-up shirt and a purple watch.
Source by Mweufika, image used under license CC BY-SA 4.0

First up, let’s make the differences between SOC 1 and SOC 2 clear.

A SOC 1 audit concerns only the financial controls you have when it comes to your clients. SOC 2 audits are much wider scope, and are focused on five “trust service principles”. These principles are:

  • Security
  • Availability
  • Processing integrity
  • Confidentiality
  • Privacy

In other words, if a prospect or client wants independent assurance that you, as a software company, aren’t going to abuse their data either on purpose or by accident, they’ll want you to have a SOC 2. If your prospect or client is a public or highly regulated company, they may instead be on the lookout for a SOC 1.

Even simpler, if your client is talking about financial reporting or controls, SOC 1 is your audit. If they’re talking about your controls related to your operations and compliance, you’re looking at a SOC 2.

SOC 3 audits were mentioned earlier, but these are functionally the same as a SOC 2 audit. The only difference is that these are intended for public consumption, potentially as part of marketing material.

Unfortunately, we’re not done with the different kinds of SOC audits though, as SOC 1, 2, and 3 audits can all also fall into one of two types…

Type I vs. Type II

SOC audits can be Type I or Type II. Don’t worry - these are much easier to remember than the differences between SOC 1, 2, and 3.

Type I SOC audits are a snapshot of a specific point in time. So, a SOC 1 Type I audit would be an assessment of the financial controls your company has in place at the time the audit is performed.

Type II SOC audits are performed over a set amount of time and account for that entire period. These are much more expensive to carry out and more difficult to perform well in, but as a result are considered to be a more reliable indicator of whatever the audit is assessing. A SOC 1 Type II audit would assess your financial controls over a set time period, such as six months or a year.

Don’t let confusion prevent you from getting certified    

I’ve mentioned several times how confusing much of the documentation surrounding SOC audits is, and it really is a shame. It’s an incredibly useful way to show your clients that you’re capable of safely doing business with them and, with a little help, it’s really not that complicated to understand.

The simple truth is this; if you have access to or information about your clients’ money, you’re going to want to have a SOC 1 audit.

By doing this you’re paving the way for larger, more profitable clients to have the confidence to sign up and verifying that your financial controls are suitable for the information you’re dealing with.

What are you waiting for?

Engineering Concepts for CFOs