The importance of a System and Organization Controls (SOC) report in third party risk management cannot be stressed enough. A SOC report is prepared by an independent auditor, so you can be assured that you’re getting an impartial view of your vendor’s control environment. The good, the bad and the needs some work are all in one place.
Before you start your SOC review process, you will need to contact your vendor and request their current SOC report and any pertinent gap (bridge) letter. The gap letter is issued by the vendor to cover the dates in between the last SOC report period ending date and the date of the letter. It’s often used as an interim assurance that controls are still in place and operating effectively while you’re waiting for the next SOC audit report to be released. In addition, make sure that you request the specific SOC report or gap letter for the product or service that you have contracted for, as many vendors have multiple service offerings so, therefore, have multiple reports.
I’ve Received the Report. Now What?
Let’s break it down into four steps:
- Confirm the Dates and Product/Service: Once you’ve received the appropriate SOC report, you will first need to verify that it’s the most current report available and covers the product/service under contract.
- Review the “Report of Independent Service Auditors” section: This part of the report will explain to you exactly what the report will be covering and will let you know if the report resulted in a Qualified Opinion. An auditor provides a qualitied opinion when their designated controls are NOT operating effectively. It’s a potential reg flag!
- Review the auditor’s results of testing all the control objectives: As you review the report, you will see the auditor’s results of testing all the control objectives. In the event there are any exceptions – an exception is when a control objective did not operate as it should – you will want to review those and any management response, if any, from the vendor.
- Look at the Complementary User Entity Controls (CUECs). These are YOUR responsibility. The CUECs are controls that your vendor needs you to have in place so that the vendor’s controls are operating effectively. These controls “complement” your vendor’s controls.
The SOC Report Frequency
Typically, SOC reports are conducted annually, although there are some vendors that engage a firm for a semi-annual or even bi-annual SOC report. The frequency of your vendor’s SOC reporting period will determine the frequency of your review. Just remember that examiners and auditors love to see that your vendor’s current SOC report is on file and has been reviewed.
SOC Reports Don’t Have to Be Confusing
A SOC report can appear to be a very intimidating report. Don’t let it scare you and remember that a SOC report is presented in a very standard format:
Section 1 Report of Independent Service Autor
Section 2 Vendor Assertion
Section 3 Vendor’s Description
Section 4 Control Objectives and Results of Testing
Section 5 Other Information
Once you become familiar with the format and the language, you’re halfway there to conquering this new territory. Just follow the steps above and you will be on your way to a better understanding a SOC report.
Learn to better understand the different definitions of vendor SOC reports. Download the infographic.