By Marc Blythe & Emilie Guilbaud
As more businesses turn to software-as-a-service (SaaS) platforms to manage everything from payroll and finance reporting to IT and enterprise resource planning, a critical question arises: Can you truly outsource risk?
The short answer: no.
“Outsourcing risk” refers to the mistaken belief that by hiring a third-party SaaS provider to handle certain business processes, a company also transfers the responsibility for compliance, security and oversight to that outsourced entity. However, while the service may be outsourced, the risk and accountability remain with the company.
The Illusion Of Outsourcing Risk
Most companies rely on third-party SaaS platforms to handle significant processes. These platforms often manage sensitive processes like payroll, timekeeping, financial reporting or customer data. It’s easy to assume that, by outsourcing to a reputable provider, you’re outsourcing the risk, too.
Regulatory bodies like the Public Company Accounting Oversight Board and the American Institute of Certified Public Accountants are clear: Companies must maintain oversight of outsourced systems that impact financial reporting or data security. System and organization controls (SOC) reports verify that third-party services are being managed properly. Even without regulatory pressure, it’s simply impractical for every client to audit their providers directly. SOC reports offer a standardized, efficient way to ensure key controls are in place and working as intended.
A SOC report is one of the most important tools for understanding how well a SaaS provider is managing risk. There are two main SOC report types:
- SOC 1 reports focus on financial reporting-related controls. These are especially relevant for public companies and others required to comply with Sarbanes-Oxley (SOX) requirements.
- SOC 2 reports focus on broader IT controls, including security, availability and data integrity. These are often more technical and pertain to how systems protect data.
A SOC 1 Type 2 report is typically the gold standard—it assesses how well a system’s controls operate over time (not just at a single point in time). If you’re relying on a SaaS provider for a core function, this is the report you want.
Why You Can’t Just ‘Get The Report And Move On’
In the past, companies might have received a clean SOC report (sometimes called an “unqualified” or “unmodified” opinion) and assumed they were in the clear. That’s no longer good enough.
Today, auditors and regulators expect companies to do more than collect reports—they must review them, analyze what services are covered and ensure the controls in place align with their own internal compliance needs.
Here’s why this matters:
- A SOC report may cover only some parts of a service, not all of it; or multiple services/modules that are not used by your organization.
- Some reports contain deficiencies, or control gaps, that you need to be aware of and evaluate the impact to your organization.
- If your provider outsources to other services (a common situation known as a subservice organization), that risk may be carved out of the report entirely, and you’ll need to evaluate those providers separately.
Real Risk: When You Don’t Know What You Don’t Know
One of the most common and serious risks businesses face when relying on third-party platforms is simply not knowing what’s in the report—or failing to verify that it’s even the right one.
For example, a company requests a SOC report from its payroll provider, but the report is for a different processing location entirely. No one notices until it’s too late. If you’re not sure what you’re reading—or if you’re even looking at the right document—you could be exposed without realizing it.
Recommendations For Business Owners
Whether you’re considering a new SaaS platform or reviewing existing ones, here’s what you should do to ensure compliance and minimize risk:
1. Ask the right questions.
- Do you provide a SOC 1 Type 2 report?
- Who performs the audit?
- Is the auditor reputable?
- What services and time periods are covered?
- Are there any “carve-outs” (areas excluded from the report)?
2. Review reports regularly.
SOC reports are often issued on a six- or 12-month cycle. Make sure the period aligns with your fiscal year and audit needs. Ideally, you want a report that provides at least nine months of coverage relevant to your financial year, which can be found in a rolling annual report.
3. Understand your role.
Most SOC reports include a section outlining “complementary user entity controls.” These are actions you, as the client, must take to ensure the system functions properly. These might include segregation of duties, approval processes or periodic reviews. If you’re not performing these tasks, your risk increases significantly.
4. Be ready for failure.
If a provider receives a qualified opinion (meaning their controls weren’t working properly), you’ll need to perform extra procedures to ensure your data is still accurate. For example, if a payroll provider has control gaps, you might need to run your own checks to confirm pay was calculated correctly throughout the year.
5. Plan for continuity.
Always have a contingency plan in case a provider fails, is breached or becomes unavailable. This should include:
- The right to audit your provider
- Backup processes for critical functions
- Regular vulnerability testing and cybersecurity assessments
- Documentation that shows your team has reviewed SOC reports and is performing the required internal controls
Reviewing these technical reports isn’t something most business owners want to do—or should do alone. The reports can be hundreds of pages long, full of legal and IT jargon and easily misinterpreted. That’s why many companies partner with advisors who understand both the regulatory requirements and the inner workings of SOC reporting (full disclosure: Blythe Global Advisors offers these services). Working with an expert advisor can ensure you not only understand the SOC report, but also what the outsourced SaaS is for and any risks associated with its use.
SaaS Isn’t A Compliance Shortcut
Outsourcing to SaaS platforms offers flexibility and efficiency, but it doesn’t mean you can outsource responsibility. Regulators are making it clear: Oversight is non negotiable. Understanding what’s in your SOC reports, acting on deficiencies and maintaining internal controls is essential to protecting your business from financial and reputational risk.
- Medical Device Company– Supported a company preparing for its IPO with a comprehensive suite of services, including audit preparation, SOX compliance preparation, interim controllership support, valuation and tax provision assistance.
- Technology Company – Assisted a publicly traded technology company with SOX and ISO readiness initiatives.
- Sports Simulator Company – Provided support for a NetSuite ERP implementation. Also performed audit preparation and addressed various technical accounting issues.
- Healthcare Technology Company – Played a key role in post-merger integration and cost optimization for a newly combined $1 billion healthcare technology enterprise.
- Distribution Company – Delivered multi-year tax provision support for SEC S-1 filing, including preparation of detailed tax disclosures.
Marc is a result-oriented professional with a broad range of leadership experience in complex multi-national private and public companies. He has over 20 years of experience at Ernst & Young, including work at the national office designing and implementing the firm’s audit process and creating industry-specific tools, templates and knowledge bases that assisted E&Y executives worldwide.
Emilie brings 20+ years of global advisory experience, blending IT, audit, and data analytics to drive complex projects and process improvements. Her cross-industry expertise and ability to bridge technology and risk make her a key asset to our team and clients.
Blythe Global Advisors is an accounting advisory firm with a difference. We have a proven track record of helping companies – from startups to brand-name enterprises, U.S.-based and international – fill the gap in accounting and financial expertise. Whether you need help with a simple financial statement or a complex business combination, we offer customizable, flexibly priced solutions that we deliver via our world-class service delivery process.