Is your SOC program paying off? Ask these four questions

When you look to enhance your external reporting and certification program, matching your team’s skills to your reporting inventory can be key. It may sound obvious, but skipping a skills assessment around external controls reporting is a relatively common mistake — especially after a merger. You should have team members with a working knowledge of security protocols and systems, as well as industry-specific requirements.

In one case, a pharmacy chain acquired a healthcare provider, but the acquiring firm didn’t have the in-house skills needed to produce the necessary SOC reports. They sought help from PwC to advise them on what reports were necessary and to serve as their project management office to help deliver their SOC reports to intended third parties.

What’s more, SOC and other controls reporting requirements may vary by sector — and there’s a host of industry-specific security standards that many service providers comply with to help meet customer expectations.

When a payroll service provider wanted to attract new clients in the media space, it sought to boost its reporting team’s understanding of the types of reports and certifications specific to the media industry. The team sought to connect and share knowledge with other companies to get up to speed on what reports and certifications media clients expect, including specific expectations on compliance reporting. Team members are now working to curate a reporting inventory to focus on.

Some controls covered in certain reports may overlap with industry-specific or regulatory-driven quality management certification protocols or reporting requirements, which can be an additional opportunity to help increase efficiency by combining efforts.

If you don’t actively monitor SOC and other external controls reporting activity, you may end up producing too many reports as well as some that simply aren’t necessary.

To address this, a technology provider asked PwC to help create a framework to vet reporting requests. The new process captures useful information such as the source of the request, the number of customers or stakeholders that would benefit, whether the lack of certification or report could impede new business and whether adding it could create new business. Assessing these details can help the reporting team make a more informed decision about whether to add new deliverables — as well as a way to evaluate the potential value of newly added reports.

Additional efficiency measures include exploring the possibility of delivering reports across groups of similar products rather than individual ones and comparing your control inventory to illustrative trust services criteria, control objectives and controls published by the American Institute of Certified Public Accountants (AICPA) so they can determine if your reports match industry expectations.

An organized approach to issues management can help streamline SOC and other controls reporting by establishing a process for handling issues — how they’re communicated and who should review them, as well as a timeline for doing so. External auditors strive to assist clients in working through issues to get better answers so they can help resolve them, but having guidance in this area leaves less room for error.

Many compliance and risk teams already use or are familiar with a variety of governance reporting and compliance (GRC) tech tools, some of which can be used to help streamline external controls reporting as well. Every industry has unique requirements and expectations, so the tools that work better may differ sector to sector.

Too many companies still track this activity in Excel spreadsheets when they could be using automation to help speed up and improve the efficiency of data collection and internal data sharing. Some GRC tools, for instance, let you generate certain reports or aggregate certain data in batches to share with the relevant teams at specified intervals. You can also leverage technology tools to standardize the look and feel of your reporting deliverables so they can appear polished and present unified branding.