2C — July 23 - August 19, 2021 — Owners, Developers & Managers — M id A tlantic Real Estate Journal
www.marej.com
O wners , D evelopers & M anagers
By Tom Miller, CPA, CITP, CISA, Withum Understanding SOC Examinations and Their Relevance to the Real Estate Industry
W
ith security scrutiny booming due to reli- ance on service pro-
and enable companies to iden- tify and attest to the effective - ness of their internal con - trols. The two most common SOC reports assess two broad ranges of controls: controls that impact client financial statements (known as a “SOC 1” report) and controls relevant to the security, availability, processing integrity, confi - dentiality, and/or privacy of the provided services (known as a “SOC 2” report). To add a layer of complexity, each SOC report has two types – Type I addresses a company’s control design at a point in time and Type II addresses a company’s
control design and operating effectiveness across a period of time. SOC reports are typically requested by a company look- ing at using another company’s services. A SOC report can give the buying company comfort that the servicing company has the controls and security measures in place to keep their sensitive information safe and process their transactions ap- propriately. Existing and pro - spective customers alike may be adamant when it comes to a vendor organization provid- ing a SOC report and, if there isn’t one available, they may
consider taking their business to a competitor. The thought of going through the process of obtaining a SOC report may be worrisome to amanagement teamwho has not gone through the process previously. When reaching out to an independent accounting firm to begin the SOC journey, there are ways for management to set itself up for the best possible outcome. Companies typically begin the SOC journey by complet- ing a Readiness Assessment in order to prepare for the SOC audit. The Readiness Assess- ment’s purpose is to help an or- ganization identify the existing
controls in place related to the SOC scope, as well as the gaps needing remediation, in order to be in a position of having strong internal controls before the SOC examination begins. After the Readiness Assess - ment concludes, companies typically follow with a Type 1 SOC report and subsequently a Type 2 SOC report, or follow directly with a Type 2 SOC report. The driver for organiza - tions to undergo a SOC ex - amination will vary based on the nature of services being provided to its customers, although a classic trigger is a customer saying, “If you want our business, we need a SOC report contractually each year.” Between SOC 1 and SOC 2 reports, both have their purpose within the real estate services industry. For example, a service pro - vider may be performing lease administration activity on behalf of a customer, with the leases and abstracted data all stored in software controlled by the service provider. In this example, a customer is rely - ing on the service provider to ensure the financial informa - tion being produced has sound data integrity, and a SOC 1 report is a great fit to address customer concerns, as well as the customer auditor con- cerns. The same thought pro- cess goes for other real estate services being provided, such as facilities management, as - set management, transaction management, and accounting services. Customers may want to en- sure that the service providers have proper controls in place around the security, avail- ability, confidentiality, pro - cessing integrity, and privacy of a service being provided. It isn’t uncommon for customers to send lengthy security ques- tionnaires to service providers asking questions to obtain comfort and, depending on the number of customers that send different questionnaires, it can be very time consuming for organization resources to provide responses. The SOC 2 report is commonly accepted as a replacement to complet- ing questionnaires provided by customers, allowing a ser- vice provider to get assessed one time and share the re- sulting report with inquiring customers. continued on page 8C
viders , the SOC report c o n t i n u e s to advance from “nice- to-have” to “ n e e d - t o - h a v e ” f o r v e n d o r s across all in- dustries, including real estate services. System and Organization Controls (SOC) reports are issued by independent accoun- tants under AICPA standards Tom Miller
YOU R L I A B I L I T Y I N S U R AN C E U NQU E S T I ONA B L Y H A S A P O L L U T I ON E X C L U S I ON That means no protection against direct and indirect liability losses, and property devaluation, caused by mold, bacteria, legionnaires disease, oil spillage, lead, and many more pollution-related claims. E. B. Cohen Insurance and Risk Management has solutions and coverages to fill this gap in your security.
GET A FREE RISK SURVEY AND NO OBLIGATION CONSULTATION TODAY
Made with FlippingBook Learn more on our blog