What Is a Vendor SOC Report?

A system and organization controls (SOC) report is often one of the most challenging documents to review during vendor due diligence. SOC reports are available in multiple variations that serve different purposes, and they might contain confusing terms like Trust Services Criteria or management’s assertion.

To begin, let’s review a basic definition of a SOC report:

It’s the resulting report from an independent examination of internal controls following the SSAE 18 standard issued by the American Institute of Certified Public Accountants (AICPA). The report will attest to the existence and effectiveness, for type II audits, of controls specified by the company being examined (your vendor). Basically, the report should tell you if your third-party vendor has the right controls in place to safeguard your data and if those safeguards are actually working, based on the scope and type of the examination as determined by the vendor.

If you’re still a little confused by this explanation, it may help to answer two common questions about third-party SOC reports. First, what are SOC reports used for? And second, why are there different types of SOC reports? Once you understand these two aspects, you should have a better understanding of these types of reports. 

What Is the Purpose of a Third-Party Vendor SOC Report?

First and foremost, a third-party vendor SOC report is produced to confirm whether a vendor’s controls are in place and operating effectively for type II examinations or identify if there are any control exceptions, which are occurrences where a control did not operate effectively during the period. Controls refer to governance and technical practices the vendor has implemented to measure whether their objectives have been achieved. 

One category of control that is often included in SOC reports of all types is logical access controls. These controls are designed to ensure that certain data and rights are only given to the appropriate users. Logical access controls are also used to limit data and rights so that users don’t have access to anything that they don’t need for their job. This type of control is often referred to as the principle of least privilege. Separation of duties is another control used to prevent a user from approving their own request or having access to data without another party knowing.

A third-party SOC report would reveal whether these controls are in place and effective. If they aren’t, the SOC report would contain something called an exception. The most common exceptions are around logical access controls, usually because of faulty termination or account audit processes. 

Aside from simply confirming controls, a third-party vendor SOC report can serve other purposes such as:

1. Gives an opportunity to verify that independent testing of controls has been completed
2. Provides an overview of the product/service you’re using
3. Helps you with your requirement to continuously monitor vendors adequately
4. Assists in verifying that the third-party vendor has adequate controls in place to protect their system

A third-party vendor SOC report can be very insightful, although this isn’t a standard document that every vendor will have. A low-risk vendor like a cleaning company or landscaper probably isn’t going to have a SOC report, which shouldn’t be an issue since they’re unlikely to have access to any sensitive data. New and small third-party vendors are also less likely to have SOC reports, in which case you’ll need to thoroughly review the other due diligence they provide. However, it should raise some concern if one of your critical vendors can’t provide a current SOC report, and you may want to re-consider the relationship.  

The Different Types of Third-Party Vendor SOC Reports

To touch on them briefly, here’s a quick overview of the three main reports you’ll see, along with the difference between Type I and Type II:

• SOC 1 Report– Designed to review a vendor’s internal controls as they relate to financial reporting. SOC 1 audit reports are best for your non-information system-based products and services.
• SOC 2 Report–An examination on the third-party vendor’s controls over one or more of the trust services criteria which are security, availability, processing integrity, confidentiality, and privacy.
  
  Note: SOC 1 and SOC 2 are further divided into the following:
  
  • Type I shows controls in a single point in time
  • Type II shows controls during a period of time 
• SOC 3 Report– A high-level summary of the SOC 2 which can be shared publicly. Therefore, it’s not as comprehensive.

Additionally, guidance has been created to perform audits in the following specific areas, but their adoption has been slow. Those areas are:

• SOC for Cybersecurity – This may help you understand a vendor’s maturity and effectiveness of their cybersecurity program. 
• SOC for Supply Chain – Overlaps with the SOC 2 in some ways. If requested, review management’s description, management’s assertion, and practitioner’s report.

If you haven’t been requesting and reviewing a vendor's SOC reports, then make sure you adopt this important practice. It’s a regulatory requirement for some and a good recommendation for others.

In general, SOC reports are the best way to gain insight into your vendor’s control environment. Auditors and examiners will expect to see these reports and the corresponding analyses on file as part of your vendor due diligence process. Ensuring that you have these documents and analyses on file can help avoid exam findings and a lot of headaches down the road. If you’re not sure where to begin, check out the AICPA website for helpful information like this here.