Systems and Organization Controls (SOC) reports and their emerging role in due diligence

When looking to entrust your assets into the specialized skillsets and knowledge of outside advisers such as carrying broker-dealers, hedge fund managers, third-party administrators, etc., why is performing proper due diligence during the onboarding process so critical?  

This process is important and can enable any advisory firm to access additional market knowledge and specializations, while also creating flexibility within the firm to further reach financial goals of its clients. However, this does not begin and end with onboarding. This is because an adviser’s main duty is the fiduciary duty that they have to their clients. This fiduciary duty includes, but is not limited to, ensuring that the prospected sub-adviser has the ability and intention to act within the best interest of its clients, has a history of sustainable positive performance best suited to maximize the financial assets of the current clientele and has a clean track record free of any regulatory or criminal marks that could open the firm up to future legal matters. 

This is where due diligence becomes relevant, as part of the due diligence work is performing certain procedures, such as in-depth analysis over the sub-adviser’s investment strategy and performance history, interviews and checks on the current personnel team of the sub-adviser and performing due diligence questionnaires. While these are not the only procedures, they are key ones performed to ensure that the prospect aligns in every possible way, to help meet the needs of the investment adviser and its clients.  

Not mentioned within the procedures above is a new and emerging factor that those performing due diligence are beginning to take note of and that is whether the prospect has a Systems and Organization Controls (SOC) report. 

Investment adviser SOC reports 

A new and emerging trend amongst investment advisors is the adoption of a SOC report. SOC reports are typically seen with custodial entities that handle customer funds and securities and service providers such as payroll organizations but are becoming increasingly adopted by investment advisers as data protection has become a popular topic due to continued cybersecurity threats.  

There are various types of SOC reports, and each serve a different purpose and are performed for different types of organizations, but the most relevant type of SOC report for investment advisers is the SOC 2® report. The SOC 2 is a report that evaluates an organization’s management of customer data, focusing on five specific criteria, known as the Trust Services Criteria, ensuring security, availability, processing integrity, confidentiality and privacy. SOC 2 reports, along with all forms of SOC reports, are performed by independent third-party licensed CPA firms. 

So how could a SOC 2 report assist in due diligence? This report helps provide operational trust to users, as the report can give confidence that the organization has implemented proper controls to effectively protect the sensitive data of its customers. The existence of a SOC 2 can also assist with meeting regulatory compliance and industry standards, by reducing the risk of cybersecurity threats with well implemented controls. These factors can also help provide a competitive advantage to organizations with a SOC 2 report, as it demonstrates strong data protection and operational effectiveness. 

Baker Tilly has dedicated AICPA SOC specialists who perform hundreds of SOC engagements each year and help clients with their SOC reporting needs across a wide variety of industries. For more information on our SOC practice and to determine if a SOC report may be right for you, refer to our webpage on the subject.