Some organizations have heard of SAS 70, SSAE 16, and now SSAE 18, but, haven’t seen the value, other than because one of their customer require it. Truth is, that’s a large part of the value, as many companies will not even think about outsourcing functions to a Company who does not have a clean SOC 1 or SOC 2 Type II Report in place, especially since Vendor Management reviews are now required.
Some benefits of having a SOC report in place include:
- Ability to perform outsourcing services for Public Companies.
- If performing financially significant duties for a Public Company, they are required to use a a provider with a valid SSAE 18/SOC 1 in place to give investors assurance over controls that are performed by the outsourcing Company.
- Public and Private companies are more likely to trust your organization with their data.
- Beyond any compliance requirements, if you were to trust a company with your data, you would want assurance it will be handled with the utmost care.
- A year round accessible knowledge source (your auditors).
- As a service organization, large or small, you will always have questions regarding your business and having a set of auditors in place with access to a wide array of business knowledge, it will allow you to bounce questions and concerns off of a group of trusted individuals who know your business.
- A third party to review your controls and activities to ensure they are functioning appropriately, and give advice on how to improve upon them.
- Sometimes your internal audit department is good, but, not always as stringent as they should be. This will help to serve as a check on their work, as well as your staff. Additionally, if there were any findings noted, your auditors are in a great position to give you some tricks and tips to improve and help ensure everything functions well the following period.
- Improving performance of the organization.
- Just the knowledge that a review is being performed of an employee’s work that can have far reaching consequences for the company as a whole. No more, “Oh, I didn’t realize that reviewing user access was THAT important to do this month, sorry”, now, everyone knows that if it’s not done, the success or failure of the organization could rest upon them.