Namely SOC Reports

This article provides an overview of the SOC Report and download instructions.

OVERVIEW

System and Organization Controls report, commonly referred to as SOC report, is a formal opinion from a certified auditing firm on the effectiveness of a service organization's internal controls. It provides audit data for a look back of a previous time period and it is not intended to report on current data. These reports are designed to help service organizations provide clients with a higher level of comfort regarding the security of their confidential data. 

Many organizations that use Namely also have audit and compliance obligations to review SOC reports from all critical service providers annually. Others review these reports as a risk management best practice.

BRIDGE LETTER

Bridge Letter is a written attestation by Namely that there have been no significant changes in our control environment since the report's end date that may impact the conclusions reached in the SOC Report. 

SOC reports are typically prepared for the 12-month period from October 1 to September 30. However, most organizations operate on a financial calendar from January 1 to December 31. Therefore, a bridge letter covering a three-month period from October 1 to December 31 is sufficient for most organizations.

TIP:

Bridge Letters are signed by Namely and not a certified auditing firm.

REQUESTING SOC REPORTS AND BRIDGE LETTERS

To request copies of Namely’s SOC Reports and Bridge Letter, please submit a case in ClientSpace with the following settings:

Category: HRIS

Type: Other

Subject: SOC Reporting Request

Description: Please include the kind of SOC Report (SOC Report 1 Type 2 or SOC Report 2 Type 1) you’re requesting, the time period that needs to be covered, and if you need a Bridge Letter or not.

FREQUENTLY ASKED QUESTIONS

What is the difference between a SOC 1 and SOC 2?

The SOC 1 details the controls Namely has implemented to ensure payroll and benefits operations are conducted in a secure and industry-recognized manner. A SOC 2 details the controls in place for the Namely SaaS platform to ensure that your data is stored, transferred, and processed by Namely in a secure manner. While there is much overlap between the two, the focus of the reports is different. Refer to the AICPA’s website for more information.

What is the difference between a Type 1 and Type 2 report?

SOC reports (both SOC1 and SOC2) can be either a Type 1 or a Type 2 report. A Type 1 report is a description of a service organization’s system and an auditor’s report on the suitability of the design of controls of that system at a point in time (i.e.- a snapshot). A Type 2 report goes a step further, where the auditor also reports on the operating effectiveness of those controls over a period of time. Both reports are attestations of rigorous examinations that can be used to meet a client’s audit and security standards.  

Does Namely have a SOC 2 Type 2 report?

No. Namely does not currently have a SOC 2 Type 2 report. However, we are working towards that goal. In the meantime, the combination of the Namely SOC 1 Type 2 and SOC 2 Type 1 reports should be sufficient for most auditors and security teams. The Namely SOC 1 report includes generalized IT control objectives in order to provide additional assurance in the following areas. Refer to the Namely SOC 1 Report for details.

  • Control Objective 6: Change Management

  • Control Objective 7: Logical Security

  • Control Objective 8: Backup

  • Control Objective 9: Physical Security

Is the Namely platform less secure without a SOC 2 Type 2 report?

No. Namely continues to maintain strong platform security measures. Learn more about Namely's security measures and controls by reviewing www.namely.com/trust and the security-related IT control objectives in the SOC 2 Type 1 report listed above.

Can I get a bridge letter for a different time period?

Namely provides updated bridge letters quarterly (January, April, and July) for organizations that do not have standard fiscal or audit periods. The Bridge Letter section above will be updated when the new bridge letters are available. We generally do not provide signed bridge letters for other dates.

What about SOC Reports covering different time periods, can I access those?

You sure can! Submit a request with the time periods you need, and we will send them your way.

What if I have additional questions?

Please submit a case in ClientSpace as outlined above.