Virtually all businesses rely on third party service providers. These third parties may range from common offerings like payroll and payment processing providers to specialized SaaS applications and solutions, or may even be leveraged to replace entire divisions of a business (e.g. technical support or IT security).
To gain confidence in, and an understanding of a third party provider’s control structure, a Service Organization Controls (SOC) report can be leveraged. These reports must be completed by an independent accounting firm and are an important element of Third Party Risk and Vendor Management.
If you would like to download the full presentation please send us a note.
Before you can begin to derive value from a SOC report, you first have to understand how to read them and also, how to spot a poor quality report. After all, SOC reports are no different than many other things in life- you get what you pay for!
1| What is the Report Scope and Audit Period?
Validate that the audit report includes the system and audit period relevant to your organization. Specifically, the system should be the service or application you are purchasing and the audit period should be the current year.
2| What Criteria are in Scope for the Report?
Firms can choose between 1 and 5 criteria to include in the scope of their report (Security, Availability, Confidentiality, Processing Integrity, and Privacy). Security is always included in the scope of a report, but the others are option. Validate the report meets your minimum expectations.
3| Is the Report a Type I or Type II Report?
SOC 2 reports can be either Type I or Type II. A type I report indicates the audit was a point in time review. A type II report indicates that the audit review was performed over a period of time. Unless this is a first year report the expectation is that firms obtain a Type II report.
4| What was the Auditors overall opinion?
An Auditor’s opinion will either be Qualified (that’s bad) or Unqualified (that’s good). If the report is Qualified this means that upon examination certain controls were not functioning as expected and the firm could not meet one or more of the criteria defined by SOC 2. You can find the auditor’s opinion in the “Auditor’s Opinion” of the report which is usually the very first section of the report.
5| In your opinion, were the controls strong enough?
Unfortunately, SOC 2 reports come in all shapes, sizes, and quality will vary. Ultimately, it is up to you to review the company’s controls and determine if they meet your own firm’s standards. If there are questions the SOC 2 report doesn’t answer, it is up to you to follow-up.
Insight: One are reports often fall short are around logical access and risk assessment. Two great questions include: 1) Did the auditor test every layer of access of the system they were evaluating? 2) Did the firm perform a true risk assessment and what were the results?
6| Were there any control exceptions?
If the firm obtained a SOC 2 Type II report there will be a table in the report that identifies if each control had exceptions or not. If there are exceptions there should also be management’s response. You will need to make a determination as to if those merit additional conversations.
Insight: It is not uncommon for firms to have exceptions. You should examine for yourself if the exception is high risk to your organization and if management’s response is acceptable.
7| Are there any User Entity Control Considerations?
The SOC 2 report should have a section called “User Entity Control Considerations”. This is a section where the audit firm will specifically call out any controls that are YOUR responsibility. One common example is user access. Often it is your responsibility to appropriately assign access to individuals within your company. You should review this section and ensure that your Company understand’s its responsibility.
8| Are there any Sub-service Organizations?
A Sub-service Organization is a 4th party firm in which the 3rd party you are evaluating relies on to do business. The most common example is a 4th party data center (the third party probably hosts its application with a 4th party). You should review this section to understand if your data is hosted or accessible to a 4th party by way of your new business partner. This could be especially important if you are dealing with financial or healthcare data.
9| Research the Audit Firm, but access every report on its own merit.
If you do not recognize the audit firm who produced the SOC 2 report, don’t worry. Quality often varies heavily between SOC reports – even when SOC reports are performed from the same report. It often depends on who within the firm performed the SOC report or how much experience the firm has with SOC reporting.
Insight: Examine each report on its own merit. All audit firms undergo peer review on a periodic basis. If you don’t recognize the firm you can research the audit firm and read the results of their most recent peer review.