You're required to collect SOC Reports on your vendors. So, once you've determined which SOC report you need, make the request and receive it back...what's the next step? We'll explain now.
Do These 6 Things to Your Vendor SOC Reports
You don't just need to collect SOC reports from your vendor; further action is required. Here are 6 things you should do next:
1. Before analyzing a vendor's SOC report, create a list of items you need to see tested as well as those that are desired but not necessarily critical.
2. Read and understand the SOC report - engage experts if needed to help objectively review it and make sure it's comprehensive.
3. Look for gaps, areas of ambiguity and if they satisfied your list from #1.
4. Document and address those areas of ambiguity and dissatisfaction. If the SOC doesn’t satisfy your needs, ask the vendor for supporting evidence that those controls are in place.
5. Look for the complementary controls - they're the handoffs where your institution must follow some prescribed activities to ensure that your portion of the control works in harmony with the processes the vendor has put in place.
6. Ensure that the appropriate person (operations personnel directly involved with the product or service) in your organization knows specifically what they need to do to ensure the control gaps and complementary user controls are adequately addressed in your own institution.
Consequences of Not Doing These 6 Things
If you ignore the above...you put your institution at great risk.
1. Not knowing exactly what you’re looking for and going in blind will cause a lot of issues to sneak through the cracks.
2. Not knowing where to find key indicators means you will miss potentially critical details, such as critical subservice organizations and whether the report is qualified or unqualified, among many others.
3. You won't have a baseline, so your due diligence won't be consistent. You can’t know whether your due diligence is complete without an established baseline.
4. Particularly with SOC 1 reports, the control objectives included may not contain control objectives which may be very important to you, such as information security and resiliency. Without knowledge of these controls, your due diligence is not complete.
5. Many reports contain complementary user entity controls. If you don’t review each of these controls to determine whether they apply to the product or service you use the vendor for, you could invalidate the effectiveness of the control, introducing risk to your institution.
6. If you don't communicate with the right people in your institution about these reports and your third party risk manager is the only one reviewing SOC reports, your institution will be at high risk. Third party risk managers likely won’t have the full context around the implementation of the vendor’s product or service at your institution so errors will be made.
Long story short, regulators and best practices don't tell you to review your SOC reports just for the fun of it. These reports contain a lot of crucial information, likely requiring follow-up action from your institution.
To learn more on analyzing a SOC Report, download our eBook.