Skip to main content
A businessman walking up steps to get to work in the city

SOC Report Benefits for Asset Managers

SOC Reports can support governance and streamline diligence for asset managers.

Asset managers oversee complex operational processes that support trading, reporting, and servicing activities across an increasingly interconnected ecosystem. In addition to investment performance, stakeholders often check how well an asset manager governs operational resilience, information security, and outsourced services. While sometimes overlooked, a System and Organization Controls (SOC) Examination can be a strategic tool that provides independent insight into control design and operating effectiveness for in-scope systems and processes, which can help support risk oversight and due diligence conversations.

While SOC Reporting is often discussed within the context of private equity and portfolio companies, it can be equally relevant at the asset manager level. For many managers, a SOC Report can provide independent assurance over operational processes that support retail and institutional servicing, such as trade processing, rebalancing, cash management, fee calculation, and data integrity. This transparency can help support diligence and onboarding discussions across the broader asset management ecosystem, including regulators, distributors, broker-dealers, retirement platforms, banks, and other parties that rely on the asset manager’s operational processes and reporting.

SOC Reporting: A Practical Overview

SOC for Service Organizations Reports are internal control reports on the services and/or systems provided by a service organization. They are designed to provide information that can help users assess and address risks associated with an outsourced service or a technology-enabled process.

  • SOC 1 Reports are specifically intended to meet the needs of entities that use service organizations (user entities), as their financial statement auditors (user auditors) use these reports to help evaluate the effects of the controls at the service organization on the user entities’ financial statements.
  • SOC 2 Reports are intended to meet the needs of a broad range of users who need assurance about a service organization’s controls as they relate to the security, availability, and processing integrity of the systems that the service organization uses to process its users’ data and the confidentiality and privacy of the information processed by those systems.

SOC 1 vs. SOC 2: Asset Manager & Portfolio Company Perspectives

Report TypeAsset Manager Perspective (Examples)Portfolio Company Perspective (Examples)
SOC 1Relevant when processes and reports may affect financial reporting controls, such as fee calculation workflows used for billing, reconciliations that support financial reporting, and/or service arrangements that feed financial statement amounts.Relevant when the portfolio company processes transactions that may affect customers’ financial statements, such as third-party administration, revenue cycle management, loan servicing, or other transaction processing services.
SOC 2Relevant when stakeholders are focused on information security and operational controls, such as access management, change management, incident response, system availability, and protection of confidential data supporting trade processing, rebalancing, servicing, and reporting.Relevant when the portfolio company provides technology-enabled services or handles sensitive data and needs to demonstrate controls over security, availability, processing integrity, confidentiality, and/or privacy, specifically within regulated or high-trust markets.

Manager-Level Operational Credibility

At the asset manager level, a SOC Examination report can help demonstrate that the operational processes supporting clients and counterparties are well-governed and repeatable. Common areas in scope may include trade processing, rebalancing, cash management, fee calculation, servicing workflows, and data integrity controls that support reporting and oversight. For large, distributed operating models, this independent perspective can help support consistency across business lines and provide a structured way to discuss controls with stakeholders.

This type of operational credibility can be relevant across the broader asset management ecosystem. Distributors, broker-dealers, retirement platforms, banks, and other parties may rely on an asset manager’s operational processes and reporting. In those cases, a SOC Examination report can provide an independent view of in-scope controls and help support more consistent diligence and onboarding discussions, subject to the report scope, period, and results.

Portfolio Company Control Maturity

Depending on the portfolio, asset managers may choose to leverage a SOC 1 and/or SOC 2 Examination as part of governance oversight to exhibit control maturity at portfolio companies. A SOC 1 Report may be more applicable when a portfolio company’s services are closely tied to customers’ financial reporting. Asset managers may also monitor contracts that reference SOC Reporting to better understand timing expectations, report scope, and responsibilities across service providers.

A SOC 2 Report may be valuable when a portfolio company’s services rely on technology and data protection, and when customers, business partners, and/or regulators expect transparency into security and operational controls. SOC 2 Reporting can help support due diligence discussions by providing an independent view of controls for in-scope systems. For some organizations, maintaining SOC Reporting over time can support exit readiness by demonstrating operational discipline and addressing common diligence themes. Outcomes depend on scope, findings, and stakeholder requirements.

Reduce Acquisition Due Diligence & Support RWI

When paired with Representations and Warranty Insurance (RWI), a SOC Report can help provide additional insight into a target company’s control environment during a mergers and acquisitions (M&A) process. RWI underwriters may consider the quality of internal controls, financial practices, and the technology environment when assessing risk. A current SOC 1 or SOC 2 Report, where appropriately scoped, can help reduce uncertainty and may streamline certain diligence discussions.

Beyond its role within RWI, a SOC Report can be part of an asset manager’s broader approach to strengthening risk oversight, improving operational discipline, and supporting more consistent governance expectations across investments.

Leveraging SOC Reporting Across the Portfolio

Asset managers with multiple portfolio companies that obtain SOC Reports should consider whether there are opportunities to coordinate interviews or align on common expectations. This process can be particularly helpful when the asset manager provides centralized services that can be evaluated as enterprisewide controls, such as Human Resources, Information Technology, data center hosting, or back-office function controls. A “test once, apply throughout” approach can help support consistency and reduce duplicative effort, depending on scope and service organization boundaries.

A Missed Opportunity for Some Asset Managers

SOC Reports have long served as an effective tool for communicating control discipline, yet some asset managers have not fully leveraged these reports into their broader governance and oversight strategy. When applied thoughtfully at both the asset manager level and the portfolio company level, SOC Examination reports can help present a more consistent picture of operational and information security practices across the investment life cycle. Within competitive environments, this independent perspective can help support diligence narratives with investors, customers, and other stakeholders.

What SEC Examinations Are Spotlighting

Recent SEC Examination priorities continue to emphasize:

  • Cybersecurity and operational resiliency, including how firms manage disruption risk and information security practices.
  • Oversight of third-party and vendor services that support essential operations and contribute to key records and processes.
  • Governance and controls around emerging technologies, including artificial intelligence AI-related risks, supervision, and accuracy of firm representations about AI use and capabilities.
  • Regulation S-P and S-ID readiness, including policies, procedures, training, internal controls, and oversight practices tied to safeguarding customer records and information.

How Forvis Mazars Can Assist

Professionals at Forvis Mazars are equipped to provide tailored services to help meet your unique needs. We provide services to private and public funds. For more information, please reach out to a professional at Forvis Mazars.

Related FORsights

Like what you see?
Subscribe to receive tailored insights directly to your inbox.