Vendor due diligence is a key task that companies must perform when deciding if they are willing to engage another company or vendor. A critical part of many business’s vendor due diligence strategies is reviewing the vendor’s system and organization controls (SOC) report for service organizations.
A SOC report is a comprehensive report that provides user entities and potential vendors information about the service organization’s internal controls, which were analyzed by an independent auditor during what’s called a SOC exam, or SOC audit.
Questions that frequently come up when a SOC report is provided to a user entity are: What do I need to review in a SOC report and why? How do I know if a vendor’s controls are adequate for my company’s needs? Let’s dive into the answers to these questions.
The opinion letter
The first section that should be reviewed is the opinion letter, which is in the section of the SOC report called the “Independent Service Auditors Report.” The opinion will outline the scope of the report. It’s important that the scope of the report covers the services you are relying on the vendor to perform. Most vendors have multiple services, so make sure that the report’s scope is appropriate.
The opinion letter also outlines the service auditor’s opinion on whether the vendor’s controls were designed appropriately and operating effectively. If any material issues were noted, these will be addressed in the opinion paragraph. Analyze any qualifications noted in the opinion to determine how they may affect your business.
Complimentary user entity controls
Another component of a SOC report that should be reviewed are complimentary user entity controls (CUECs). CUECs are controls that your organization should have in place to achieve the vendor’s control objectives. A vendor’s SOC report typically states that control objectives identified in the description can only be achieved if the CUECs are both suitably designed and operating effectively at the user entity throughout the determined audit period. CUECs should be reviewed within a vendor’s SOC report to help ensure that your company is in compliance with these controls.
The Independent Service Auditor’s Tests of Controls and Results
Make sure to review the Independent Service Auditor’s Tests of Controls and Results section. Here, you will find the detailed controls along with the independent service auditor’s tests of controls and results.
Along with the controls, the reviewer should also review the results of the tests performed for any exceptions noted. If there is an exception noted, that means the control may not have been operating effectively during the audit period. It’s important to review the test results for any exceptions and determine how this will impact your operations. Depending the nature of the exceptions, you may want to inquire about what efforts management has undertaken to address the cause of the exceptions. You should analyze their response to make sure it is adequate based on your organization’s risk tolerance.
Learn more about how to read a SOC report
Vendor SOC reports should always be reviewed as part of your company’s vendor management program. They not only provide valuable information about the vendor’s internal controls but also, depending on the results and opinion of the report, can help to identify a vendor that will provide a high level of service.
To learn more about SOC exams and reports, continue reading on:
How to read a SOC report
Understanding SOC exam exceptions and management letter comments
SOC 1 vs SOC 2: What’s the difference?