System and Organization Controls (SOC) reports provide third-party assurance and significant time savings for large energy company

Client profile

The client is a large energy company that designs and implements custom energy efficiency and renewal energy programs for utilities, municipalities and states. Their programs help their end-user residential customers and business clients reduce their energy consumption. They deliver their services through various methods, which include prescriptive and custom incentives, direct installation, new construction and education and awareness.

Our client’s needs and solutions

Baker Tilly forged a strong client relationship, providing multiple services for the organization’s evolving needs:

  1. The energy company received multiple requests (questionnaires) from clients asking for information about the company’s process and controls related to their energy savings management program and related systems. To support transparency and the demand for greater assurance, the company needed a robust internal control structure that could be examined by a third party. 

    Baker Tilly approached the engagement by first overhauling the energy company’s existing SOC 1 report. To do this, Baker Tilly completed a SOC readiness assessment, which focused on understanding  the company’s operating environment and developing a roadmap for SOC reporting options to meet the needs of both the company and their clients. Baker Tilly developed recommendations for  the energy company to consider prior to beginning their second SOC examination efforts.

    Upon completion of the readiness assessment, the client had a finalized control playbook that drove the completion of a successful second SOC 1 report.
  2. Three years later, the organization’s client requirements began to shift from SOC 1 needs regarding internal control over financial reporting, to SOC 2® requirements regarding the security of data. They  tapped Baker Tilly again for a SOC 2® readiness assessment, which would address the security elements of the Trust Services Principles. During the readiness assessment, Baker Tilly identified and evaluated they energy company’s controls in place to satisfy the criteria set forth in the AICPA’s Trust Services framework. The assessment confirmed their processes and controls sufficiently addressed the Trust Services Criteria (TSC).
  3. Baker Tilly also supported the energy company during various acquisitions that involved new service lines and systems requiring SOC examination reports. Baker Tilly performed readiness assessments to prepare the new subsidiaries for first-time SOC reporting and incorporation into the company’s SOC reporting process. Baker Tilly also assisted the energy company in navigating new guidance changes in the TSC, effective for their reports in 2019. Baker Tilly held a workshop with the client to talk through the new requirements, what they mean and how it could impact controls. The workshop identified what processes required implementation and recommendations to ensure successful SOC 2® reports under the new criteria.

Results achieved

The energy company received SOC 1 and SOC 2® reports that satisfied their clients’ transparency and assurance demands regarding their internal controls over financial reporting, operations, technology and security. Additionally, the SOC reports allowed the organization to respond to multiple client security questionnaires in a standardized way, which produced a significant time savings for the organization.

For more information on this topic, or to learn how Baker Tilly specialists can help, contact our team.