Learn what the scope of a vendor's SOC report means and where to find it, typical audit periods and a few questions to ask yourself while reviewing the narrative.
Welcome to this week’s Third Party Thursday! My name is Aaron Kirkpatrick and I’m the Information Security Officer here at Venminder. In this video, we’re going to cover a SOC Report's scope, period and narrative section.
Normally, there are two places where you can find the scope of the report you are reviewing.
There's a couple different statements you should look for:
Typical periods are January 1 - December 31 or October 1 - September 30 for twelve-month audit periods. The latter’s offset from January through December is because it takes two to three months to get the final report issued and SOC Reports generally follow financial statement timing.
A Gap or Bridge letter may be requested from management which is meant to disclose whether any control changes, deviations or exceptions have occured
The narrative tells you about the vendor, products within scope of the audit and how controls fit into general operations. Some vendors are much more thorough than others when creating this section. It should help answer questions such as:
So there we go, now you know: What the scope means and where to find it, typical audit periods of a SOC report and a few questions to ask yourself while reviewing the narrative.
Again, I'm Aaron Kirkpatrick and thank you for watching! If you haven't already, subscribe to the Third Party Thursday series.