SOC reports can be confusing. There can be multiple types, some reports have fourth parties involved, you may have the right vendor but wrong report, you may be trying to determine what the value is and so on. Oh, and just how much more work is caused by complementary user entity controls?
You’re not alone in your confusion, so here are six tips to understanding vendor SOC 1 reports:
1. What types of vendor SOC reports are there?
There are several different SOC reports, with the most common being the SOC 1 and the SOC 2. But, those each come in two types as well –Type I and Type II.
Both reports provide you with the following 4 things:
- The “Independent Service Auditor’s Report” which provides the auditor’s opinion, typically categorized as qualified, unqualified, disclaimer, or adverse
- A letter from the vendor’s management called “Management’s Assertion” which should describe the service organization’s system to help the auditor perform the upcoming audit with certain reasonable assumption in mind
- A description of the system being audited called “Description of the System” including Organization & Administration, Complementary User Entity Controls, Products and Services, and more
- A description of tests of controls and results of testing which is where the audit firm verifies and/or tests the controls in place and determines if they’re actually in place and/or operating effectively (Type II)
Type I reports audit the design and suitability of controls at a point in time while type II audits cover a period of time (usually 6 months to a year).
2. What is included within the vendor SOC report's scope?
One of the first key areas to review on SOC reports is the scope. Which services, locations, and control areas included within the SOC report can be found within the service auditor’s report, which is in section two of the overall report. Make sure that the service you use is listed here. Many vendors have multiple SOC reports for different products and services, and you wouldn’t be the first to be given the wrong one.
In the following paragraphs, within the Scope section, look for language such as “The description includes only the control objectives…” and “…excludes the control objectives…” as these typically signify what, if any, aspect of the service is carved out due to the use of a critical subservice organization. A subservice - or third party to the vendor, your fourth party – is an organization that if it were to cease to operate, services offered by the vendor would be affected. This is very commonly seen with a data center or cloud service provider.
3. What is excluded from the vendor SOC Report?
Subservice organizations are often used by vendors to provide a part of their service. Some subservice organizations will be critical to your vendors and they should be monitored. Within the auditor’s report section near the sentences noted in the prior section, the report should also outline what services the subservice provides on behalf of the vendor.
If there’s a subservice organization involved, know that it could be a separate vendor or it could be another division or business unit, also known as an internal subservice organization. If there is a subservice, you should also see a section for Complimentary Subservice Controls, which outline what controls are expected to be implemented at the Vendors subservice organization.
4. Who chose the controls?
One aspect that many users of SOC reports don’t know is that it’s the organization being audited, your vendor, that writes and designs the controls, not the auditor. There are guidelines, and the auditors will assist as needed, but the depth and scope for how the question is written is done by the vendor. For example, a password control could be simply written:
“Administrative access to the company’s LAN is authenticated via user account and password.”
or be as complex as:
“Administrative access to the company’s LAN is controlled by Windows Active Directory, requiring unique user IDs and passwords. Complexity settings require passwords to be at least 12 characters long. Password history is set to 24. Passwords must be changed every 30 days and users are locked out after five failed login attempts.”
Keep this in mind the next time you’re looking through control activities. Due to this flexibility, I’ve had to say this a lot over the years, “SOC reports are not created equally.” This is one reason why having SOCs reviewed by an information security or third party vendor expert can be extremely valuable.
5. What were the findings?
First, look at the service auditor’s report, section one. Towards the end, a section labeled Opinion starts with a paragraph beginning, “In our opinion, in all material respects,…” and is followed by paragraphs a-c. Reading this section will inform you whether…
- The description fairly presented the system
- The controls were suitably designed
- The controls operated effectively (Type II only)
If the report is qualified, meaning at least one control objective was deemed ineffective due to issues identified within the report, there will be an addition to the first line of the section, “In our opinion, except for the matter referred to in the preceding paragraph, based on…”.
For type II reports, you’ll want to look through section four where you’ll find all the controls and their test results. There are multiple ways this section is displayed, but typically there is a table with a column labeled “Test Results”. From this column, you’ll be able to identify individual control activities that have exceptions. Typically, you’ll find “No exceptions noted” where there were no exceptions.
6. What are complementary user entity controls and what do I do with them?
Complementary user entity controls (CUECs) are processes you, the consumer of the service or product, need to perform, or have in place to ensure the vendor’s controls operate as expected. A common CUEC would be one that relates to account management. If the vendor provides a web portal that your employees log into, an associated CUEC would be access management. This is because the vendor won’t know when an employee should no longer have access to the portal, so a process or control on your side would need to be in place to notify the vendor of user access terminations. Your control complements the vendors.
CUECs should be reviewed and fully understood as you will want to document:
- Whether they apply to you
- What role or team is responsible for each control
- Whether the control is already addressed by your existing controls
- What controls are not yet in place
As you review CUECs, do the following:
- Review associated control objectives
- Determine which CUECs apply
- Assign each CUEC
- Determine which CUECs are addressed (as well as address each applicable CUEC and record how it’s addressed)
- Assess each CUEC
Review CUECs with each new SOC report as they may change over time as the service evolves.
As you can see, SOC reports contain a lot of valuable information so it’s important to understand what you’re reading and where to look for certain items. Performing these six tips should help you with your review of a SOC report.