Third Party Risk Q&A: Vendor SOC Report Types and More

During our recent three day Vendor Management Bootcamp (click here to watch on-demand), we had a lot of GREAT questions come in. It was simply impossible to get to them all during the live sessions, so we have worked with the various speakers to compile the answers and make them available for all here.

Below you will find the questions and the speaker responses from Day 3 Session 2

Speakers

Mike Morris Partner Porter Keadle Moore	Mary Beth Marchione Systems Manager Porter Keadle Moore

Dissecting SOC Reports - PKM

Q1: Can you explain what a Type 1 and Type 2 include?  

Answer: "A Type 2 report is report that includes testing the operating effectiveness of the vendor's controls defined over the period of the report. A Type 1 report is just a point-in-time report that focuses on the design of the vendor's controls. The Type 1 report will be an "As Of" date while the Type 2 will cover a period of time. "
For more information about the differences of SOC reports, download our infographic.

Q2: If the report doesn't state what type it is (i.e. SOC 1 Type 1), what's the easiest way to identify what type it is? 

Answer: While it should be specific, the easiest way will be to look at the opinion and if it specifically notes that the auditor tested the "operating effectiveness" of the controls, it is a Type 2 report. Also, a Type 1 report will always be "As Of" a specific date (you can find this in the Auditor's Opinion). "

Q3: Is there an opinion section in every SOC report? We were looking at a SOC 2 while you were talking there wasn't one. Is that normal? 

Answer: "Yes, there is an opinion in every SOC report. The auditor's opinion should be in the first section of the report. If it is not there, either an improper report was issued, or the vendor did not supply the entire report. Be careful, the vendor could have omitted the opinion on purpose because it was qualified or adverse."

Q4: Can you please clarify what types of companies will have a SOC report? Larger? Publicly traded?  

Answer: "Various types of companies will have a SOC report, it depends on the services they are providing. A vendor that provides a service determined to be financially significant to their clients should perform a SOC 1 and vendors that provide critical services that impact security, availability, confidentiality, processing integrity and/or privacy, but does not impact financial reporting, should perform a SOC 2. "

Q5: Do you have a breakdown/definition of the different components of the Opinion page? 

Answer: "Following are the different components: 

- Scope – describes the system the audit report covers as well as the parts of the service organization's system not covered by the service auditor's report – whether the inclusive or carve-out method was used related to subservice organizations 
- Service Organization's Responsibilities 
- Service Auditor's Responsibilities 
- Inherent Limitations – statements related to the procedures performed noting that the auditor provides "reasonable assurance." The audit may not detect all errors.  
- Reasons for qualified/adverse opinion (if applicable) 
- Opinion 
- Reference to the description of tests and controls (Type 2 report only) 
- Restricted Use Statement "

Q6: I have been noticing many times that SOC reports are being issued from "unknown" consulting companies. Do you have any recommendations for ensuring that the company who performed the SOC testing is really qualified to be performing these reviews?  

Answer: "You can perform due diligence and research to determine the audit firm is in good standing. Some items to look at may include any open investigations, peer review results, open litigation, etc. Also, if the scope or details of the report are not clear or sufficient, the audit firm may not have the proper experience to perform the audit. "

Q7: Does the opinion always state: qualified, unqualified, etc? The one i'm looking at doesn't have any of those descriptions. It states...fairly represents, etc. 

Answer: "No, it will not specifically state that the opinion is unqualified. However, there is specific language used in instances where there is a qualified or adverse opinion and the paragraph will be included directly before the opinion paragraph. This paragraph is typically titled, "Basis for Qualified/Adverse Opinion." When an opinion is unqualified, the opinion will state, "In all material respects." When an opinion is qualified it will say, "except for the matter referred to in the preceding paragraph (i.e. the "Basis for Qualified/Adverse Opinion" described above), in all material respects" and will describe the matter that is at issue within the opinion section of the report. You will need to read the details further to see what the issue may be. The system description may not be presented fairly, for example. If an opinion is disclaimed, the auditor will note that they could not express an opinion. When the auditor determines an adverse opinion it will say, "because of the matter referred to in the preceding paragraph" and then will note whether the description does not fairly present, the controls were not suitably designed, and or the controls did not operate effectively. This is a general guide, it will be important to read the details noted within the report and ask a qualified practitioner if you are not sure."

For more information, visit: https://www.aicpa.org/Research/Standards/AuditAttest/DownloadableDocuments/AT-00101.pdf 

Q8: When reviewing a fourth party SOC report that includes Complimentary User Controls, how are we to ensure that our vendor is keeping up with them, keeping the security circle closed? 

Answer: "You can review your vendor's report to determine whether the report covers the controls listed in the fourth party CUECs.  Also, the report may include whether the vendor reviews their subservice organizations' audit reports and complimentary user entity controls. The new standards in SSAE 18 places emphasis on vendor management and more transparency into the vendor management process. "
To learn more about SSAE 18, download our infographic.

Q9: What is involved in "Testing & Documentation" of each control? We currently map all of the Controls in a table where we have Vendor Relationship Owners respond to each control. This is signed off on and documented. What additional steps are needed? 

Answer: "Assuming you are referring to testing and documenting complementary user entity controls (CUEC), it will be important to document the control (activity) your organization performs to meet the CUEC as well as the test (how you ensure the control is working). This can be mapped to specific audits where these controls have been tested." 

Q10: We received a SOC 3 from a document storage vendor - is this any different from SOC 1 or 2? 

Answer: "It's similar to a SOC 2, as the auditors perform similar testing to come conclusions provided in the SOC 3 report. The SOC 3 report will not provide the same level of detail as it relates to testing and controls so your review process will not be able to be as in depth. "
For more information on the differences between the different SOC reports, download our infographic. 

Q11: If a vendor has access to NPI should we be focused on the review of SOC 2 and that governs security? 

Answer: "Yes, you will want to ensure that the security is included and perhaps confidentiality as well."

Q12: How should you handle a vendor that want to charge for a SOC report?

Answer: "Vendors may charge for a SOC report. The best thing to do is ensure that it is clear within the contract that the service organization provides the SOC report without charge."

Q13: Do we need a SOC Report from vendor that does not get PII? 

Answer: "Some vendors that do not get PII may still be critical to your organization and ongoing operations. It will be important to evaluate the relationship from all perspectives to determine whether it is necessary. For example, a network security monitoring company may not have access to PII or NPI, but are performing a critical task that impacts your control environment."

Q14: What should be done if a vendor says they do not do SOC reports? 

Answer: "There are other ways to perform vendor management including onsite visits, reviewing output reports, monitoring reports, meetings with the service organization management and/or engaging an audit firm to perform pertinent testing procedures. You may want to determine the reason they are not receiving a SOC report and determine if you can gain comfort in other ways (I.e. procedures noted above) or if this is an issue that may require reassessing the relationship. Vendors that do not understand their role in servicing financial institutions pose a risk to your organization and should be watched closely. You should always ensure that you have a contractual provision that requires vendor management due diligence provisions prior to signing any contracts. If the current contracts do not have these provisions, they must be included in the renewal stage."

Q15: For proof of vendor management how often can we purge old SOC reports?  

Answer: "This will be dependent on your retention policies. Generally, it will be important to keep them for at least three to five years so that you can reference them to see trends, such as control deterioration from year to year."

Q16: What are your views on having a third party risk framework owned by 2nd LoD and a separate vendor management process?  

Answer: "You should structure vendor management in a way that all relevant stakeholders are involved and that those with the level of knowledge related to the services provided are involved."

Q17: Is a ISO 27001 comparable to the SOC 2 report? 

Answer: "Yes ISO 27001 is based on international standards and is comparable to the SOC 2. Both are required to be performed by a third party. The ISO 27001 is a certification while SOC 2 is an attestation. Both follow international standards."

 Learn how else we can help you, download our samples.