If your organization is in a regulated industry, you’re probably somewhat familiar with SOC reports. Many regulators strongly recommend that you obtain SOC reports from your vendors, especially if they’re critical or high-risk.
However, you might be wondering why all vendors don’t just give you the same report. While some vendors give you a SOC 1, others will give you a SOC 2, or sometimes both! Others might even hand over a SOC 3. And, it’s not as simple as 1, 2 and 3. There’s even different types within a SOC 1 and SOC 2. So, what’s the difference between all these variations? This blog will provide a simple explanation.
Differences Between Vendor SOC 1, 2 and 3
Brief Vendor SOC Background
Let’s begin with a short history lesson. Before we can dive into SOC reports, it’s important to understand its origin with the Statement on Auditing Standards (SAS) No. 70. The SAS 70 was established by the American Institute of Certified Public Accountants (AICPA) and eventually replaced by the Statement on Standards for Attestation Engagements No. 16 (SSAE 16) in 2011. The SAS 70 and SSAE 16 were very similar, but the SSAE 16 included an attestation by an organization’s management, in which the purpose was to confirm that the described controls were in place and functional.
The SSAE 16 was replaced by the SSAE 18 in May of 2017. SOC reporting is directly influenced by the guidelines set forth in the SSAE 18. A major update to these guidelines was the requirement that your vendor identifies its subservice organizations, which are your fourth parties. In addition, your vendor should identify the assumed controls that are in place regarding your fourth parties.
A Vendor's SOC 1
Overall, a SOC 1 is used to address internal controls that relate to a vendor’s financial reporting. It essentially looks at the quality of the vendor’s bookkeeping by disclosing its financial and accounting controls.
Furthermore, the SOC 1 is broken down into two different types – a SOC 1 Type I and SOC 1 Type II. A Type I report evaluates controls within a single point in time (a single date) and often doesn’t test controls. A Type II report is considered the ideal option because it tests control effectiveness over a period of time, thereby giving you better insight into patterns or recurring issues.
A Vendor's SOC 2
In most cases, you’ll want to request the SOC 2 report. This is especially true when you’re dealing with an IT related vendor. Many people mistakenly believe that a SOC 2 report is simply the “next level” compared to a SOC 1, but the two reports are completely distinct and should be treated separately. It’s an apple to oranges comparison.
A SOC 2 report examines a service organization’s controls over one or more of the following five standards known as Trust Services Criteria (TSC):
- Processing Integrity
One of the benefits of a SOC 2 report is its consistency. This is the only audit that defines a consistent set of criteria that’s specific to the products of services that a vendor provides to you. When you want to measure the security, availability, confidentiality, processing integrity and/or privacy of a vendor product or service, there’s no better way to do this than by requesting a copy of their independently audited SOC 2 report.
Like the SOC 1, the SOC 2 report also comes in two types. A Type I report ensures that controls and in place and a Type II confirms that they’re effective. So, as you can probably guess, a SOC 2 Type II report is the best representation of how well a vendor is managing and safeguarding your data.
Remember when you review your Vendor’s SOC report, the controls are created by the vendor and tested by an auditor or CPA firm.
A Vendor's SOC 3
Now that you understand why a SOC 2 Type II is highly valuable, don’t be fooled into believing that the SOC 3 is even better, because it’s not!
From our perspective, a SOC 2 Type II is much preferable to a SOC 3. While a SOC 3 might have some of the components of a SOC 2, it won’t be as comprehensive as it is simply a summary report.
Let’s explain. A SOC 3 is designed to be made publicly available, without the requirement of a nondisclosure agreement (NDA). For this reason, it’s less detailed, less technical and won’t contain the same level of critical information that can be found in a SOC 2 Type II. In other words, a SOC 3 report is basically a high-level summary that’s been approved by the vendor, which can be posted on their website.
You may choose to use a SOC 3 during the initial due diligence stage, but a SOC 2 Type II is ideal for your more serious prospects.
4 Tips to Review Vendor SOC Reports
Reviewing a SOC report can be a little intimidating, but with the right strategy, you’ll be better prepared for success. Keep these 4 tips in mind:
- Communicate with the experts – Ensure that you have qualified experts to review and assess a vendor’s SOC report.
- Identify gaps – Take time to thoroughly review the SOC report to identify any gaps that need to be addressed.
- Record strengths and weaknesses – It’s important to document the strengths and weaknesses of the vendor’s controls in your assessment.
- Identify complementary controls – Complementary user entity controls (CUECs) should be reviewed and understood. CUECs tell your organization what it needs to do for the vendor controls to function properly.
Request and Analyze SOC Reports on Your Vendors
The key takeaway is that a SOC report is a highly valuable tool that can verify whether your vendor has sufficient and effective controls. Reviewing a SOC report, whether that’s a SOC 1 or 2 can greatly help with your ongoing monitoring duties and ensures compliance with regulatory expectations.