A high-quality SOC report is a thorough analysis of a service organization’s internal controls. The extent of the analysis often lends itself to a long completion timeline and a significant time investment. Because of the time and money involved, some service organizations may try to circumvent the SOC reporting process. How? Instead of obtaining their own SOC reports, they instead give their clients (or users) the SOC reports that their service organizations – also called “sub-service organizations” – procured for themselves. As a result, the users (and their auditors) are unequipped to perform their diligence related to the service organization. To help increase their chances of detecting a counterfeit, user organizations and auditors should know the following:
- Why a service organization might use a misleading report
- Why the logic behind this practice is unsound, and
- What steps they can take to spot an “imposter"
In Parts 2 & 3 of our Solving the Mystery of Misrepresented SOC Reports, the Auditwerx team will discuss how to play detective with forged SOC reports, and how to find the right partner in crime.