SOC reports can be confusing. There can be multiple types, some reports have fourth parties involved, you may have the right vendor but wrong report, you may be trying to determine what the value is and so on. Oh, and just how much more work is caused by complementary user entity controls?
There are several different SOC reports, with the most common being the SOC 1 and the SOC 2. But, those each come in two types as well –Type I and Type II.
Both reports provide you with the following 4 things:
Type I reports audit the design and suitability of controls at a point in time while type II audits cover a period of time (usually 6 months to a year).
One of the first key areas to review on SOC reports is the scope. Which services, locations, and control areas included within the SOC report can be found within the service auditor’s report, which is in section two of the overall report. Make sure that the service you use is listed here. Many vendors have multiple SOC reports for different products and services, and you wouldn’t be the first to be given the wrong one.
In the following paragraphs, within the Scope section, look for language such as “The description includes only the control objectives…” and “…excludes the control objectives…” as these typically signify what, if any, aspect of the service is carved out due to the use of a critical subservice organization. A subservice - or third party to the vendor, your fourth party – is an organization that if it were to cease to operate, services offered by the vendor would be affected. This is very commonly seen with a data center or cloud service provider.
Subservice organizations are often used by vendors to provide a part of their service. Some subservice organizations will be critical to your vendors and they should be monitored. Within the auditor’s report section near the sentences noted in the prior section, the report should also outline what services the subservice provides on behalf of the vendor.
If there’s a subservice organization involved, know that it could be a separate vendor or it could be another division or business unit, also known as an internal subservice organization. If there is a subservice, you should also see a section for Complimentary Subservice Controls, which outline what controls are expected to be implemented at the Vendors subservice organization.
One aspect that many users of SOC reports don’t know is that it’s the organization being audited, your vendor, that writes and designs the controls, not the auditor. There are guidelines, and the auditors will assist as needed, but the depth and scope for how the question is written is done by the vendor. For example, a password control could be simply written:
“Administrative access to the company’s LAN is authenticated via user account and password.”
or be as complex as:
“Administrative access to the company’s LAN is controlled by Windows Active Directory, requiring unique user IDs and passwords. Complexity settings require passwords to be at least 12 characters long. Password history is set to 24. Passwords must be changed every 30 days and users are locked out after five failed login attempts.”
Keep this in mind the next time you’re looking through control activities. Due to this flexibility, I’ve had to say this a lot over the years, “SOC reports are not created equally.” This is one reason why having SOCs reviewed by an information security or third party vendor expert can be extremely valuable.
First, look at the service auditor’s report, section one. Towards the end, a section labeled Opinion starts with a paragraph beginning, “In our opinion, in all material respects,…” and is followed by paragraphs a-c. Reading this section will inform you whether…
If the report is qualified, meaning at least one control objective was deemed ineffective due to issues identified within the report, there will be an addition to the first line of the section, “In our opinion, except for the matter referred to in the preceding paragraph, based on…”.
For type II reports, you’ll want to look through section four where you’ll find all the controls and their test results. There are multiple ways this section is displayed, but typically there is a table with a column labeled “Test Results”. From this column, you’ll be able to identify individual control activities that have exceptions. Typically, you’ll find “No exceptions noted” where there were no exceptions.
Complementary user entity controls (CUECs) are processes you, the consumer of the service or product, need to perform, or have in place to ensure the vendor’s controls operate as expected. A common CUEC would be one that relates to account management. If the vendor provides a web portal that your employees log into, an associated CUEC would be access management. This is because the vendor won’t know when an employee should no longer have access to the portal, so a process or control on your side would need to be in place to notify the vendor of user access terminations. Your control complements the vendors.
Review CUECs with each new SOC report as they may change over time as the service evolves.
As you can see, SOC reports contain a lot of valuable information so it’s important to understand what you’re reading and where to look for certain items. Performing these six tips should help you with your review of a SOC report.