(270) 506-5140 CONTACT US
SOC Reports

6 Tips to Understanding a SOC 1 Report

Jul 24, 2015 by Venminder Experts

Let’s start with a basic description of a SOC 1 report. A SOC 1 describes the system of internal controls in place at a service organization regarding internal controls over financial reporting.    

If you are looking for a report that covers the service organizations systems and processes used to deliver the product/service you purchased from them, you have the wrong report.  That is a SOC 2 report. 

If you are looking for a report that is relevant to a vendor that processes financial transactions or you need assurance regarding the accuracy of finances (payment processors, payroll processors, etc.) then a SOC 1 would be appropriate. 

Now that you have determined a SOC 1 is the right report for you, here are a few tips on how to read the report and draw conclusions. 

1. Is the report a Type 1 or Type 2?

While both a Type 1 and a Type 2 will include a description of the system and the suitability of the controls defined in the control objectives in the description, there’s a big difference between a Type 1 and Type 2. Simply put, a Type 1 covers a point in time and a Type 2 covers a period of time. The big difference between the two? Only a Type 2 will test the controls. 

2. What is the scope of the report?

Look for the opinion section of the report. This will describe the scope of the audit and include the auditor’s opinion of the result. Important stuff. 
In this section you’ll find a description of the products, services and locations covered in the report. Are these relevant to what the vendor is providing to your organization.  More importantly, has anything important to you been excluded from the report? If the answer is no to the first question and yes to the second question, then the report is useless to you.
Also important to understand in this section is whether your vendors vendor’s description and controls have been included. In most cases they are not. In that case look for the words “carve out”. If by chance they are covered, you’ll fnd the words “inclusive”. You’ll care about this depending on what critical activities your vendor may have outsourced to another vendor. You may need to obtain a SOC 1 (or SOC 2) from your vendors vendor(s). 

3. What did management include or exclude from the report?

Your vendor decides what will be audited and what will not be audited. It’s entirely possible that if management is aware of issues or exceptions that they will elect to omit criteria from the audit. Look for language such as “except for” in the management assertion section of the report. Control objectives are defined by the vendor, not the auditor.

4. Look for the complementary user entity controls!

What’s that you say? These are controls that support your vendors control objectives that must be performed by you. In other words, your vendor is saying that the effectiveness of their controls rely on you doing your part by managing the controls they passed to you. You’ll want to be aware of the complementary user entity controls and ensure you have implemented processes to cover them. 

5. What type of testing was used?

Common testing types are inquiry, inspection, observation and re-performance. Be leery of reports where the only testing type was “inquiry”. Inquiry should never be the only kind of testing performed. Especially when the report covers a period of time.

6. Understand the test results

Look for a table. The control objectives, the description of the test and the test results are all included. Most importantly, look for management responses to the exceptions.  Read the response and decide if you are satisfied with the answer. Did management include a remediation plan for the exception? Is it realistic and how much confidence do you have in their ability to correct? Remember, at this point the auditor is merely reporting. They will not issue an opinion on any management response.  

Analyzing a Vendor SOC Report eBook

Venminder Experts

Written by Venminder Experts

Venminder has a team of third party risk experts who provide advice, analysis and services to thousands of individuals in the financial services industry.

Follow Venminder Experts

Subscribe to the Venminder Blog