Software

Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Overview
Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit


Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

VX LP Sequence USE FOR CORPORATE SITE-thumb
Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.

CREATE FREE ACCOUNT

Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 

Industries

Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

1.7.2020-what-is-a-third-party-risk-assessment-FEATURED
Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.

Download Samples

About

Venminder is an industry recognized leader of third-party risk management solutions. 

Our Customers

Over 800 organizations use Venminder today to proactively manage and mitigate vendor risks.

Get Engaged

We provide lots of ways for you to stay up-to-date on the latest best practices and trends.

Gartner 2020
Venminder received high scores in the Gartner Critical Capabilities for IT Vendor Risk Management Tools 2020 Report

Read Report

Resources

Trends, best practices and insights to keep you current in your knowledge of third-party risk.

Webinars

Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

 

Community

Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Friday with the latest and greatest updates.

Subscribe

 

Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

Join the thousands of risk and compliance professionals who subscribe to Venminder

6 Tips to Understanding a SOC 1 Report

5 min read
Featured Image

SOC 1 reports can be confusing. There can be multiple types, some reports have fourth parties involved, you may have the right vendor but wrong report, you may be trying to determine what the value is and so on. Oh, and just how much more work is caused by complementary user entity controls? You’re not alone in your confusion, so here are six tips to understanding SOC 1 reports.

1. What types of SOC 1s are there?

There are two types of SOC 1 reports, Type I and Type II. Both reports provide you with the following:

  • The “Independent Service Auditor’s Report”
  • A letter from the vendor’s management called “Management’s Assertion”
  • A description of the system being audited called “Description of the System”
  • A description of tests of controls and results of testing

Type I reports audit the design and suitability of controls at a point in time while type II audits expand on type I reports to add testing the operating effectiveness of the controls over a period of time (usually 6 months to a year). In other words, type I reports audit what you say and type II reports audit what you say and how you act.

2. What is included within the SOC report's scope?

One of the first key areas to review on SOC reports is the scope. Which services, locations and control areas were included within the SOC report can be found within the service auditor’s report, which is in section two of the overall report. Make sure that the service you use is listed here. Many vendors have multiple SOC reports for different products and services and you wouldn’t be the first to be given the wrong one.

In the following paragraphs within the Scope section, look for language such as “The description includes only the control objectives…” and “…excludes the control objectives…” as these typically signify what, if any, aspect of the service is carved out due to the use of a critical subservice organization. A subservice - or third party to the vendor, your fourth party – is an organization that if it were to cease to operate, services offered by the vendor would be affected. This is very commonly seen with a data center or cloud service provider.

3. What is excluded from the SOC 1 Report?

Subservice organizations are often used by vendors to provide a part of their service. Some subservice organizations will be critical to your vendors and they should be monitored. Within the auditor’s report section near the sentences noted in the prior section, the report should also outline what services the subservice provides on behalf of the vendor.

If there’s a subservice organization involved, know that it could be a separate vendor or it could be another division or business unit, also known as an internal subservice organization. The most common internal subservice is information technology resulting in an Information Technology General Controls (ITGC) report that you’ll also want to review in this instance. Reviewing the ITGC helps verify the integrity of the data security and processes in place.

4. Who chose the controls?

One aspect that many users of SOC reports don’t know is that it’s the organization being audited, your vendor, that writes and designs the controls, not the auditor. There are guidelines, and the auditors will assist as needed, but the depth and scope for how the question is written is done by the vendor. For example, a password control could be simply written:

Administrative access to the company’s LAN is authenticated via user account and password.”

or be as complex as:

“Administrative access to the company’s LAN is controlled by Windows Active Directory, requiring unique user IDs and passwords. Complexity settings require passwords to be at least 12 characters long. Password history is set to 24. Passwords must be changed every 30 days and users are locked out after five failed login attempts.”

Have this in mind the next time you’re looking through control activities. Due to this flexibility, I’ve had to say this a lot over the years, “SOC reports are not created equally.” This is one reason why having SOCs reviewed by an information security or third party vendor expert can be extremely valuable.

5. What were the findings?

First, look at the service auditor’s report, section one. Towards the end, a section labeled Opinion starts with a paragraph beginning, “In our opinion, in all material respects,…” and is followed by paragraphs a-c. Reading this section will inform you whether…

  • The description fairly presented the system
  • The controls were suitably designed
  • The controls operated effectively (Type II only)

If the report is qualified, meaning at least one control objective was deemed ineffective due to issues identified within the report, there will be an addition to the first line of the section, “In our opinion, except for the matter referred to in the preceding paragraph, based on…”.

For type II reports, you’ll want to look through section four where you’ll find all the controls and their test results. There are multiple ways this section is displayed, but typically there is a table with a column labeled “Test Results”. From this column, you’ll be able to identify individual control activities that have exceptions. Typically, you’ll find “No exceptions noted” where there were no exceptions.

6. What are complementary user entity controls and what do I do with them? 

Complementary user entity controls (CUECs) are processes you, the consumer of the service or product, need to perform, or have in place to ensure the vendor’s controls operate as expected. A common CUEC would be one that relates to account management. If the vendor provides a web portal that your employees log into, an associated CUEC would be access management. This is because the vendor won’t know when an employee should no longer have access to the portal, so a process or control on your side would need to be in place to notify the vendor of user access terminations. Your control complements the vendors.

CUECs should be reviewed and fully understood as you will want to document:

  • Whether they apply to you
  • What role or team is responsible for each control
  • Whether the control is already addressed by your existing controls
  • What controls are not yet in place

Review CUECs with each new SOC report as they may change over time as the service evolves.

As you can see, SOC reports contain a lot of valuable information so it’s important to understand what you’re reading and where to look for certain items. Performing these six tips should help you with your review of a SOC 1 report.

Dive further into how to review a vendor SOC report. Download this eBook.

vendor soc report

 

Sign Up For Our Newsletter

Get expert insights straight to you inbox.

Ready to Get Started?

Schedule a personalized solution demonstration to see if Venminder is a fit for you.

Request a Demo