Requesting a SOC report from your vendor is an important step to validate that the proper controls are in place at that company, and if not, to give you the opportunity to request your vendor strengthen those controls. The SOC audit report helps you better understand how the vendor is performing against those controls by giving you a deeper overview. Not only is it an industry best practice to request the audit report, but also a regulatory requirement per guidance such as the FFIEC IT Examination Handbook.
You know that you need to obtain the SOC report from your vendor but just exactly how do you go about requesting the information?
Here are a few ways:
- Engage your first line of defense. For an established vendor, you can have your vendor relationship management team, also known as the first line of defense, reach out directly to the vendor via phone or email to request and obtain the documentation. They are typically the day-to-day contact that the vendor interacts with.
- Be proactive by including it in your contract. A proactive approach is to include the requirement of a SOC report review in your vendor contract language with an ongoing monitoring timeline in place.
- Outsource if needed. Another option is to outsource these requests to a third party with a team of experts on staff, such as CISSPs (Certified Information Systems Security Professionals), who can handle the document collection and SOC analysis for your organization.
So, why should you request the SOC audit report from your vendor? Ideally, it should assist you in discovering any operational disconnects between what you want the vendor to do compared to what they are actually doing. The report can help identify any operational gaps, perhaps related to unauthorized or inappropriate access or data loss prevention or serve as confirmation that the controls in place are sufficient.
Another reason a SOC report review adds value to your vendor vetting and monitoring process is that it outlines controls that your organization needs to implement as well to assist the vendor in accomplishing some of the controls, these are called complimentary user entity controls. Your organization is the user entity.
Here is a brief overview and when you should request different report types:
- SOC 1 – This report is designed to review a vendor’s internal controls as they relate to financial reporting. A SOC 1 Type 1 will cover the controls in place at a single point of time. A SOC 1 Type 2 will cover the controls in place over a period of time. A Type 2 report is preferred when available.
- SOC 2 – This report is an examination on the vendor’s controls over a selection of the 5 Trust Services Criteria (e.g., Security, Processing Integrity, Availability, Confidentiality and Privacy). One of the trust services criteria can be covered or it can cover all five. Since these reports are specifically targeted towards information security and system availability request the report to help you determine if the proper controls are in place to protect your organization’s information. This report can also be a Type 1 or a Type 2.
- SOC 3 – This is a high-level summarization of the SOC 2 report therefore it’s not as comprehensive. This report is good to request when initially vetting a vendor but should not replace a SOC 1 or SOC 2.
- SSAE 18 – This report accompanies the SOC 1 and requires your vendor to outline their vendor’s functions being provided by the subservice organization and the assumed controls that have been put in place (your fourth parties). Request this report to better understand your fourth party’s operations and procedures, like when the fourth party has access to non-public personal information (NPPI) or your customer’s information.
Requesting and obtaining the correct SOC report from a vendor is a very important due diligence component across organizations. The process can be streamlined greatly when it’s clearly understood how and why you should be requesting these.
Do you know how to review a SOC report once you receive one? Download our guide now to learn how to properly analyze a vendor SOC report to mitigate third party risk.