Understanding Vendor SOC Scope, Time and Narrative
The importance of reviewing your vendor's SOC scope, time and narrative.
Learn what the scope of a vendor's SOC report means and where to find it, typical audit periods and a few questions to ask yourself while reviewing the narrative.
You may also be interested in:
Welcome to this week’s Third Party Thursday! My name is Aaron Kirkpatrick and I’m the Information Security Officer here at Venminder. In this video, we’re going to cover a SOC Report's scope, period and narrative section.
What is the scope of the report?
Normally, there are two places where you can find the scope of the report you are reviewing.
- First, you’ll find it within the “Independent Service Auditor’s Report” section at the beginning of the report.
There's a couple different statements you should look for:
- “We have examined [Vendor Name]’s accompanying Description of [Service Name]...” which will inform you of the primary focus of the audit.
- Another statement is, “Our examination did not extend to controls of the aforementioned (subservice organization/products/services),” meaning that those products or services were not included within the audit scope. This statement will be the case for the large majority of reports. You’ll find similar wording within the vendor’s, “Management Assertion.”
- The second place to look for the audit scope is within Section 3 of the report, the narrative. The typical heading is “Scope of Report.” This will give you a more in-depth explanation of the scope.
You’ll also want to determine what type of SOC Report it is and if it’s a SOC 2, what trust services principles were in scope. Types of SOC reports are covered in depth in another Third Party Thursday video titled 5 Types of Vendor SOC Reports.
What time period was audited in the SOC report?
Typical periods are January 1 - December 31 or October 1 - September 30 for twelve-month audit periods. The latter’s offset from January through December is because it takes two to three months to get the final report issued and SOC Reports generally follow financial statement timing.
A Gap or Bridge letter may be requested from management which is meant to disclose whether any control changes, deviations or exceptions have occured
Reviewing the SOC report’s narrative
The narrative tells you about the vendor, products within scope of the audit and how controls fit into general operations. Some vendors are much more thorough than others when creating this section. It should help answer questions such as:
- Are the products and services you receive from this vendor covered in the SOC report you have in hand?
- Many vendors produce multiple SOC reports, do you have the right one or do you need additional reports?
- Do they explain how controls govern their internal operations and product or service delivery for the products or services relevant to you?
- Do they explain how controls provide security, and potentially processing integrity, confidentiality, availability, and privacy of your data they are managing?
So there we go, now you know: What the scope means and where to find it, typical audit periods of a SOC report and a few questions to ask yourself while reviewing the narrative.
Again, I'm Aaron Kirkpatrick and thank you for watching! If you haven't already, subscribe to the Third Party Thursday series.
Subscribe to our Third Party Thursday Newsletter
Receive weekly third-party risk management news, resources and more to your inbox.