Do Relocation Companies Require a SOC (System and Organization Controls) Report?

The answer to this question is clearly based upon the level of risk that the relocation company represents to its clients.  First, one must gain an understanding of the services provided by the relocation company, the sensitivity of the data shared with the relocation company, the risk to the user organization should the relocation company experience a data loss or security incident, and the awarding of relocation benefits not in accordance with the user organization’s relocation policies.

Services

The primary service provided by relocation companies is relocation expense management for user organizations. Many relocation companies also provide policy development or counseling, home sales, purchasing and rental, transportation of household goods and payroll and tax assistance.  With these services, relocation companies also provide sophisticated tools for transferees to use to help manage the relocation and other services provided. These tools house sensitive transferee information and manage the expenses that impact the user organization’s financial statements.

Data and Risk

Depending on the type of service provided by the relocation company, the data being handled can span from names and addresses to social security numbers, bank account numbers, financial data, or payroll information.  Some of this data is highly sensitive and if breached, could be used to commit identity theft.  This could result in material impact to transferees. This could also be considered a required reportable event under most state information breach laws and result in substantial cost to the user organization.  Not only does the relocation company hold this sensitive information, any vendor utilized by the relocation company in the services performed may also have access to the same information.  Depending on where the transferees are moving from and to, there could be potentially hundreds of different vendors utilized by the relocation company. The inherent risk of providing such sensitive information must be considered by user organizations, and prior to selecting a relocation company, the sophistication of the security and internal controls of the relocation company needs to be assessed.

Financial Implications

When performing services for a user organization, the relocation company is directed to follow the user organization’s policies for allowable services and expense thresholds. If these policies are not followed, there could be higher than expected costs or payments for services not allowed for the user organization. If payroll or tax services are performed by the relocation company, the accuracy of these services are essential to the employees being relocated.

Industry Requirements

Third-party management and regulatory requirements have significantly increased for a number of industries.  In particular, regulators are placing increased pressure on financial institutions to assess the security and controls of third-party vendors, evaluate data protection practices and understand the risk of their business partners. Healthcare organizations have adopted policies that require all third parties to demonstrate HITRUST compliance. Organizations migrating to a cloud environment have also raised the awareness of the need to evaluate data-protection capabilities of all business partners with which they share information.

Should a relocation company have a SOC report?  Clearly, there is considerable risk associated with many of the data-fueled services provided by relocation companies, along with significant financial implications, that would warrant a SOC report.  While a SOC report is not a requirement of the industry, the report would demonstrate to the user organizations that the level of security providing protection of data and the accurate and complete processing of expenses are major objectives and are taken seriously by senior management of the organization.  A SOC report would also present a distinct competitive and marketing advantage for the relocation company, providing an authoritative and respected method to communicate and demonstrate to the marketplace that protection of client information is as valuable as the quality of the service that it provides.

Do you think your organization could benefit from a SOC report?  Visit our Service Organization Controls page or contact one of our professionals to discuss your needs.

You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at [email protected].

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2024 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

our thoughts on
IPE 101 – Differentiating Populations and Key Reports
IPE 101 – Defining and Understanding Information Produced by Entity
SEC Adopts Final Climate Disclosure Rules
Understanding SOC Report Opinions
The New IIA Global Internal Audit Standards - What You Need to Know Now
Register to receive our weekly newsletter with our most recent columns and insights.
Have a question? Ask us!

We’d love to hear from you. Drop us a note, and we’ll respond to you as quickly as possible.

Ask us
contact us
Pittsburgh

This site uses cookies to ensure that we give you the best user experience. Cookies assist in navigation, analyzing traffic and in our marketing efforts as described in our Privacy Policy.

×