What is a SOC report? A SOC report is an independent audit report performed by a public accounting firm and attests to the existence and effectiveness of the controls put in place to safeguard your data. Listen to this podcast as we break down 6 of the most important parts of your vendor's SOC report.
Welcome to this week’s Third Party Thursday! My name is Lisa-Mae Hill and I’m an Information Security Specialist here at Venminder. In today’s podcast we’re going to discuss the basics of a vendor SOC report.
A SOC report is an independent audit report performed by a public accounting firm. The report will attest to the existence and effectiveness of controls specified by the company that’s being audited, your vendor. Basically, the report should tell you if your vendor has the right controls in place to safeguard your data and if those controls are actually working, based on the scope of the audit.
It's important to thoroughly review the vendor SOC reports as you obtain them. When you receive the report, it’s not only imperative that you read it, but also that you review and truly understand the report. As you review the document, begin drafting an analysis that identifies any gaps and the complementary controls.
The best way to start your review of a SOC report is to understand what to look for in the report and how to Identify the gaps in your third party’s controls.
When reviewing a SOC report, it’s important to look at and review the following areas:
It’s important to identify gaps when reviewing each area within the SOC report and to document any findings. Have a qualified individual, such as a CISSP, perform the review and write up an expert analysis outlining the overall findings.
Your examiner will want to see the actual SOC reports on file for your vendors, as well as a qualified review of the audit report(s) acknowledging your understanding of strengths and weaknesses. The review should be done by qualified personnel who understand what controls should be in place at your vendor and the severity of any findings.
Again, I’m Lisa and thanks for tuning in to this week’s Third Party Thursday; if you haven’t already done so, please subscribe to our series.