1 (888) 836-6463 CONTACT US
SOC Reports

What Is a Vendor SOC Report?

Dec 17, 2019 by Aaron Kirkpatrick

If you’re reading this, you’re likely one of many in the industry who finds the entire concept of SOC (System and Organization Controls) reporting perplexing. Don’t worry. You’re not alone!

So, to begin, let’s quickly address what a SOC report is: It’s the resulting report from an independent audit of internal controls performed by a public accounting firm. The report will attest to the existence and effectiveness, for type II audits, of controls specified by the company being audited (your vendor). Basically, the report should tell you if your vendor has the right controls in place to safeguard your data and if those safeguards are actually working, based on the scope of the audit as determined by the vendor.

That’s a whole lot of words thrown on a page and probably doesn’t really connect the dots, right? Let’s see if we can clarify further.

What Is the Purpose of a SOC Report?

First and foremost, a third party SOC report is made available to confirm the controls the vendor says are in place actually are and that they’re operating effectively, for type II audits – or, if there are any control exceptions.

And when we say controls, we mean security measures the vendor has implemented as a precaution to ensure data is protected.

An example could be logical access controls. Logical access controls should be in place to ensure only appropriate people have access to data and only the rights needed to perform their normal function. To demonstrate this, controls may reference the principle of least privilege, where only the required access is provided and no more, or reference separation of duties, where a user would not have the ability to approve their own request or have access to data without another party knowing. More exceptions are found surrounding logical access controls than any other control area, primarily due to faulty termination or account audit processes.

And besides just confirming controls, there are quite a few other reasons for a SOC report. Here are four:

  1. An opportunity to verify independent testing of controls has been completed
  2. Provides an overview of the product/service you’re using
  3. Helps you with your requirement to continuously monitor vendors adequately
  4. Verifies the vendor has adequate controls in place to protect their system

SOC reports are important and should be analyzed thoroughly. However, it should be noted that not all vendors will have one, and they are not required to. For example, your cleaning company isn’t going to have one and if you ask them for one, they’re going to be pretty confused. On the other hand, if a critical vendor does not have a SOC report or the report they have is overdue then that’s concerning. Lower risk, new, and small vendors will be less likely to have a SOC report. In these cases, you’ll want to pay closer attention to the additional due diligence evidence they provide.

The Different Types of SOC Reports

To touch on them briefly, here’s a quick overview of the three main reports you’ll see:

  • SOC 1– Designed to review a vendor’s internal controls as they relate to financial reporting. SOC 1 audit reports are best for your non-information system-based products and services.
  • SOC 2– An examination on the vendor’s controls over one or more of the trust services criteria which are security, availability, processing integrity, confidentiality and privacy.
  • SOC 3– A high-level summary of the SOC 2 which can be shared publicly. Therefore, it’s not as comprehensive.

If you haven’t been requesting and reviewing SOC reports, then make sure you do so in 2020. It’s a regulatory requirement for some, a recommendation for others, and in general they’re the best audit report to review for vendors right now, and auditors and examiners will expect to see the reports and the corresponding analyses on file as part of your due diligence process. If you don’t have them on file, it could lead to an exam finding, which no one ever wants. If you’re not sure where to begin, check out the American Institute of Certified Public Accountants (AICPA) website for helpful information like this here.

Get a more in-depth breakdown of vendor SOC report terms and definitions. Download the dictionary. 

New call-to-action

Aaron Kirkpatrick

Written by Aaron Kirkpatrick

Aaron is a Certified Information Systems Security Professional (CISSP) who has acquired a wide range of organizational, technical and compliance knowledge, applying it within data center and financial institution services sectors. He’s created and successfully led security, risk and audit programs, including SOC engagements, for data centers and a financial application company, transitioning to Internal Audit at one of the largest financial system providers. He has paired a technical degree in Network Administration and Engineering with a Bachelor’s degree in Management Information Systems. Relevant professional certifications include: Certified Information Systems Security Professional (CISSP), Certified in Risk and Information Systems Control (CRISC), GIAC Certified Incident Handler (GCIH) and GIAC Critical Controls Certification (GCCC). He is a member of ISACA and (ISC)2.

Follow Aaron Kirkpatrick

Subscribe to the Venminder Blog