As part of their annual vendor due diligence activities, many companies review System Organization Controls (SOC) examination reports. However, they’re often unsure of what they should be looking for in the report.
By knowing how to read a SOC report and determine what information is relevant to your organization, you can help ensure that you get the most value and assurance out of reviewing the SOC report — and know that you’re in good hands with your vendor.
Knowing the difference between SOC report types
Before you dive into the results of your vendor’s SOC audit, it’s important to first identify the type of SOC exam that was performed.
The report can be a SOC 1, SOC 2 or SOC 3 report. Furthermore, the type of report will be either a type 1 or type 2 report.
First, let’s lay out the differences between SOC 1, SOC 2 and SOC 3 exams:
- SOC 1 exams are intended to help you understand the effect of your vendor’s internal controls on your financial reporting.
- SOC 2 exams address the need for reports on controls other than those covering financial reporting. SOC 2 specifically covers controls relating to the security of the systems your vendor uses to process your data, and, where applicable, the availability, processing integrity, confidentiality and/or privacy controls related to that system. These five trust services categories have also been integrated with the 17 principles in the COSO framework, which groups principles into five internal control components: communication and information, control environment, monitoring activities, risk assessment, and control activities.
- SOC 3 exams are foundationally similar to SOC 2 exams, but a SOC 3 exam is used when an organization does not have the need for or the knowledge necessary to use a SOC 2 report. Notably, SOC 3 reports do not include a description of the system or the detailed description of the tests or test results that SOC 2 reports do.
But where do type 1 and type 2 come in?
A type 1 report covers the suitability of the design of controls, as of a point in time. A type 2 report covers the suitability of the design and operating effectiveness of controls throughout a specified period, typically ranging from 6-12 months.
The scope of the SOC report
The scope of a SOC audit may vary depending on the control objectives or criteria selected by your vendor (the service organization) and the existence of any key subservice providers.
Your company should determine whether the scope of the report appears adequate to meet your assurance needs. The scope of a SOC 1 exam is based on the control objectives selected by the service organization. Most SOC 1 reports cover their organization and administration, customer servicing, computer operations, software change management, logical security and physical security.
The scope of the SOC 2 and SOC 3 exam is determined by the criteria selected by the service organization.
To make sure the report is relevant to your company and adequately covers the vendor’s services that you use, it’s important to review the products and services addressed by the exam.
If your vendor uses a subservice organization to provide services that are relevant to internal controls, the vendor may exclude the subservice organization’s relevant control objectives and related controls from their description of the system and from the scope of the SOC exam (aka the carve-out method). Or the vendor may include the subservice organization’s relevant control objectives and related controls in their description of the system and within the scope of the engagement (aka the inclusive method).
If you’re reviewing a carve-out report, make sure to evaluate the impact of the services carved-out to determine if additional due diligence procedures are needed at your vendor.
Key SOC report areas to review
After evaluating the relevancy and adequacy of the SOC report, be sure to review these key areas: the opinion, the complementary user entity considerations (CUECs), complementary subservice organization controls, and any exceptions and responses.
SOC report opinions
A SOC report contains an opinion on whether the vendor’s description of their system is presented fairly and whether the system’s controls are suitably designed. A type 2 report also contains an opinion on whether the controls are operating effectively.
There are four opinions that the service auditor can issue:
- Unmodified opinion: Issued if the service auditor performing the SOC audit concludes that the description is fairly presented and the controls are suitably designed to achieve the control objectives or criteria included within the scope.
- Qualified opinion: Issued under various circumstances, including situations when the service auditor concludes that: 1) there are material errors, omissions or deficiencies in the description of the service organization’s system, 2) there are deficiencies in the design or operation of controls, and those deficiencies are not adequately described in the description, and/or 3) the controls are designed in such a way that at least one control objective would not be achieved.
- Adverse opinion: Issued when the errors, omissions or deficiencies in the description or design of the control objectives/criteria are pervasive or affect most of the control objectives/criteria. In some cases, the nature and extent of the exceptions, for a type 2 report, may lead the service auditor to conclude that most, or all, of the control objectives/criteria are unlikely to be achieved.
- Disclaimer: Issued when the service auditor could not form, and as such refuses to present, an opinion on the service organization’s description, design or operating effectiveness of controls. The service auditor may have tried to perform the engagement but could not complete the work due to various reasons — most commonly because the service organization hid or refused to provide evidence and information to the service auditor.
If the opinion is anything other than unmodified, your company should evaluate the cause and impact.
Complementary user entity considerations (CUECs) and complementary subservice organization controls
CUECs are controls that your vendor has included within their system that they’re relying on you to implement in order to achieve their control objectives. During the SOC report review, determine if the CUECs are applicable to you and if you have implemented them or need to do so to minimize your risk.
Complementary subservice organization controls are controls that your vendor has assumed are in place at their subservice organization and are necessary to achieve the control objective or trust service criteria.
What to do about exceptions
When you review the SOC report for any exceptions, determine the impact of any you identify and how the vendor plans to mitigate them. Exceptions do not necessarily mean you should change vendors, so long as your vendor has detailed sufficient plans or responses to the exceptions. The key thing is that the exceptions were identified and can now be dealt with.
How to read a SOC report
A SOC report can appear overwhelming, so it’s important if you’re relying on SOC reports for assurance over a vendor’s internal controls to know how to read them and what to look for.
If you have any questions or need assistance understanding what is relevant to your company, contact Wipfli. Or keep reading on in these articles:
Do I need a SOC exam? And do I need more than one?
Tips for passing a SOC audit