Continually evaluate the established policy for SOC 1 reports that requires service organizations to provide a SOC 1 report over the control environment that is relevant and significant to the processing and recording of SBA’s transactions as it relates to the SVOG program. If a SOC 1 report cannot be obtained, management should design, implement, and operate controls within SBA’s control environment.