Key Questions to Consider when reviewing a SOC Report

SOCVirtually all businesses rely on third party service providers. These third parties may range from common offerings like payroll and payment processing providers to specialized SaaS applications and solutions, or may even be leveraged to replace entire divisions of a business (e.g. technical support or IT security).

To gain confidence in, and an understanding of a third party provider’s control structure, a Service Organization Controls (SOC) report can be leveraged.  These reports must be completed by an independent accounting firm and are an important element of Third Party Risk and Vendor Management.

Before you can begin to derive value from a SOC report, you first have to understand how to read them and also, how to spot a poor quality report. After all, SOC reports are no different than many other things in life- you get what you pay for!

Is the Report a Type I or Type II?

  • Note if the report is a Type I or Type II.  A Type I Control attests to control design only for a specific point in time. A Type II report should also test that the controls were operating effectively over a period of time.
  • If your third party provider is not undertaking a Type II assessment, inquire why. Where they unable to pass a Type II?
  • For Type II reports, make note of how long the audit period is, when it began and ended and if there were gaps before the last report. Ideally, you want your vendor to demonstrate that their controls are continually operating effectively with no gaps between the review periods.
Audit Tip:
If your third party provider provides a report with gaps in the audit period between the next and last report (e.g. a six month audit period), press them on why they don’t test for the operating effectiveness of their controls on a year round basis.

Consider the Scope of the Report

  • Pay attention to the scope of the SOC report. Review the Description of the System closely (Section 3) and verify that what is being addressed in the report aligns to the system/service which your organization is leveraging.
  • For SOC1 reports, consider the various Control Objectives and whether or not they comprehensively demonstrate that the organization has control over the processes in their organization that may in turn effect financial reporting in your own organization.

Read Between the Lines

  • You can quickly skim the Opinion and Management’s Assertion (Sections 1 and 2) to determine if any exceptions or issues were discovered during testing (for Type II reports), but also consider reviewing Section 4 of the document to gain a deeper understanding of the processes in place within your vendors organization.
    Audit Tip:
    When reviewing Section 4 of a Type II SOC report:

    • Be mindful of “non-occurrences.” Does it make sense that a control was listed but did not operate during the audit period?
    • Look for missing elements in both the Control Objectives (for SOC1 reports) and the design (or mix) of controls the organization has put in place to meet the Control Objective or Criteria.

    Don’t ignore the User Entity Controls!

    • Be mindful of User Entity Controls (located at the end of Section 3 of the document). These are the controls your vendors says your organization should be performing.
      • Your organization should be able to map all User Entity Controls directly to processes in place within your organization.

    Does the Report meet your Needs?

    • When reviewing SOC1 reports, consider whether the Control Objectives tested meet the requirements of your organization. Is the vendor testing everything your organization cares about (e.g. testing to demonstrate the integrity of a specific process, testing to demonstrate that sensitive data is properly secured in accordance with applicable laws and regulations, testing to verify that proper HR processes are in place, etc.?)
    • When reviewing SOC2 reports, consider the mix of controls in place to meet the various SOC2 criteria. Are there obvious gaps in testing (e.g. no mention of VPN, Firewall, or Backup Administrators in Common Criteria 5: Logical and Physical access)


    New more tips on demystifying your third party provider’s SOC report? Leave your questions in the comments!

Leave a Reply