Wipfli logo

Bank on Wipfli - Blog and Podcast


3 questions to ask when reviewing SOC reports

Mar 16, 2022
Financial Institutions

By Ashley Hong

For over a decade, financial institutions have increased their reliance on outsourced providers for vital services. As that outsourced work increases, so do the risks to the institution.

Vendors making a significant impact on your institution should all be looked at closely. The goal of vendor monitoring is to ensure the vendors you’re using are delivering services as promised. This would include reviewing the financial condition and operational controls of the vendor.

You can request this information from the vendor, and they should provide you their financials and SOC reports, which describe the effectiveness of their internal controls.

Review of SOC reports is one of the most important components of ongoing vendor monitoring that will help ensure your vendors are reliable, secure and operating as expected. However, these reports can be complex and extensive, making it difficult to know just what to look for.

Here are three key questions to keep in mind when reviewing a vendor’s SOC report:

1. What is the auditor’s opinion, and were any exceptions noted?

If the SOC report has an unmodified opinion and there were no exceptions noted, that means that the vendor’s controls are operating properly. If your vendor’s SOC report has exceptions noted, you should identify any mitigating controls noted within the report and see if any responses or plans provided by the vendor to address the exception were included.

2. Do the vendor’s controls align with your controls?

There may be controls vendors require in order for their services to work properly. These controls will be noted as “Complimentary User Entity Control Considerations.” For example, if you do not use multifactor authentication and your vendor states that it’s required for their service, it’s possible that the vendor may not perform as promised. As you are continuously improving your controls, it’s also important to check what controls your vendors require.

3. How secure are your vendor’s cloud controls?

With cloud resources becoming widely used, this is a more important area to consider and review. It is important to consider your vendor’s technical controls, such as multifactor authentication requirements, firewall configurations and backup processes to ensure that your data is secured and easily retrievable

How Wipfli can help

Your vendors’ SOC audits enable you to provide your customers and prospects with a higher level of confidence in your processes and controls. Wipfli’s team can help assess which information in a SOC report is relevant to your organization and help you be certain your vendor is serving you well. Contact us to learn more, or continue reading:


Wipfli logo square

Wipfli Editorial Team

Bank on Wipfli blog
Subscribe to Bank on Wipfli - Blog and Podcast