SOC 1 reports can be confusing. There can be multiple types, some reports have fourth parties involved, you may have the right vendor but wrong report, you may be trying to determine what the value is and so on. Oh, and just how much more work is caused by complementary user entity controls? You’re not alone in your confusion, so here are six tips to understanding SOC 1 reports.
1. What types of SOC 1s are there?
There are two types of SOC 1 reports, Type I and Type II. Both reports provide you with the following:
- The “Independent Service Auditor’s Report”
- A letter from the vendor’s management called “Management’s Assertion”
- A description of the system being audited called “Description of the System”
- A description of tests of controls and results of testing
Type I reports audit the design and suitability of controls at a point in time while type II audits expand on type I reports to add testing the operating effectiveness of the controls over a period of time (usually 6 months to a year). In other words, type I reports audit what you say and type II reports audit what you say and how you act.
2. What is included within the SOC report's scope?
One of the first key areas to review on SOC reports is the scope. Which services, locations and control areas were included within the SOC report can be found within the service auditor’s report, which is in section two of the overall report. Make sure that the service you use is listed here. Many vendors have multiple SOC reports for different products and services and you wouldn’t be the first to be given the wrong one.
In the following paragraphs within the Scope section, look for language such as “The description includes only the control objectives…” and “…excludes the control objectives…” as these typically signify what, if any, aspect of the service is carved out due to the use of a critical subservice organization. A subservice - or third party to the vendor, your fourth party – is an organization that if it were to cease to operate, services offered by the vendor would be affected. This is very commonly seen with a data center or cloud service provider.
3. What is excluded from the SOC 1 Report?
Subservice organizations are often used by vendors to provide a part of their service. Some subservice organizations will be critical to your vendors and they should be monitored. Within the auditor’s report section near the sentences noted in the prior section, the report should also outline what services the subservice provides on behalf of the vendor.
If there’s a subservice organization involved, know that it could be a separate vendor or it could be another division or business unit, also known as an internal subservice organization. The most common internal subservice is information technology resulting in an Information Technology General Controls (ITGC) report that you’ll also want to review in this instance. Reviewing the ITGC helps verify the integrity of the data security and processes in place.
4. Who chose the controls?
One aspect that many users of SOC reports don’t know is that it’s the organization being audited, your vendor, that writes and designs the controls, not the auditor. There are guidelines, and the auditors will assist as needed, but the depth and scope for how the question is written is done by the vendor. For example, a password control could be simply written:
“Administrative access to the company’s LAN is authenticated via user account and password.”
or be as complex as:
“Administrative access to the company’s LAN is controlled by Windows Active Directory, requiring unique user IDs and passwords. Complexity settings require passwords to be at least 12 characters long. Password history is set to 24. Passwords must be changed every 30 days and users are locked out after five failed login attempts.”
Have this in mind the next time you’re looking through control activities. Due to this flexibility, I’ve had to say this a lot over the years, “SOC reports are not created equally.” This is one reason why having SOCs reviewed by an information security or third party vendor expert can be extremely valuable.
5. What were the findings?
First, look at the service auditor’s report, section one. Towards the end, a section labeled Opinion starts with a paragraph beginning, “In our opinion, in all material respects,…” and is followed by paragraphs a-c. Reading this section will inform you whether…
- The description fairly presented the system
- The controls were suitably designed
- The controls operated effectively (Type II only)
If the report is qualified, meaning at least one control objective was deemed ineffective due to issues identified within the report, there will be an addition to the first line of the section, “In our opinion, except for the matter referred to in the preceding paragraph, based on…”.
For type II reports, you’ll want to look through section four where you’ll find all the controls and their test results. There are multiple ways this section is displayed, but typically there is a table with a column labeled “Test Results”. From this column, you’ll be able to identify individual control activities that have exceptions. Typically, you’ll find “No exceptions noted” where there were no exceptions.
6. What are complementary user entity controls and what do I do with them?
Complementary user entity controls (CUECs) are processes you, the consumer of the service or product, need to perform, or have in place to ensure the vendor’s controls operate as expected. A common CUEC would be one that relates to account management. If the vendor provides a web portal that your employees log into, an associated CUEC would be access management. This is because the vendor won’t know when an employee should no longer have access to the portal, so a process or control on your side would need to be in place to notify the vendor of user access terminations. Your control complements the vendors.
CUECs should be reviewed and fully understood as you will want to document:
- Whether they apply to you
- What role or team is responsible for each control
- Whether the control is already addressed by your existing controls
- What controls are not yet in place
Review CUECs with each new SOC report as they may change over time as the service evolves.
As you can see, SOC reports contain a lot of valuable information so it’s important to understand what you’re reading and where to look for certain items. Performing these six tips should help you with your review of a SOC 1 report.
Dive further into how to review a vendor SOC report. Download this eBook.