Businesses have increasingly outsourced certain non-essential—and some essential—functions of their operations to service organizations and vendors. While these services save time and money for businesses, they also add an extra layer of risk, especially if they process sensitive data. Most of the time the business has no control over these risks.
At least that’s how it feels. Fortunately, the AICPA designed the System and Organization Controls (SOC) Suite of Services to foster better management of a client organization’s system and information when in the care of service organizations charged with performing important duties.
Read and Understand Your SOC Report for Crucial Insights
Although the SOC report has become the standard metric for evaluating, recording and reporting essential aspects of a service organization, it isn’t always crystal clear how to digest and understand the report results.
Here are some key areas to focus on when reading a SOC report:
There are two types of SOC reports – Type 1 and Type 2. A Type 1 report is an opinion on the control design as of a certain date. Meaning, if there is an unqualified opinion, the report will state that as of this date, the Service Organization’s controls were in place and properly designed. A Type 2 report is an opinion on the control design and operating effectiveness over a period of time. Meaning, if there is an unqualified opinion, the report will state that during the testing period the Service Organization’s controls were in place, properly designed, and operating effectively.
When reading a SOC report, understand the report type, as well as the dates. It is great if a vendor has a SOC report; however, the reader will gain more comfort in the control environment with a Type 2 report since it looks at operating effectiveness over a period of time. If the organization only has a Type 1 report, ask about when they plan to issue the Type 2 report. Additionally, if the dates are from over a year ago, it is difficult to confidently rely on the SOC report.
SOC audits may only cover certain business units within an organization, so it is important to understand what is in scope for the SOC report. The scope of the audit will be disclosed in the system description of the report.
Like a financial statement audit, a SOC audit has an opinion. This opinion reports on the control environment and should be used as a gauge to whether or not the service organization’s controls can be relied on.
If an adverse or disclaimer of opinion is issued, this means the control environment is very bad or the auditor was unable to obtain enough information to determine if the environment was good or bad. If either of these opinions are issued, it should be a concern and result in inquiring with the vendor about the opinion.
There is also the possibility of receiving a qualified opinion, which is when the auditor is singling out an aspect of the control environment and saying aside from this area, the controls were sound. This opinion may or may not impact the reader’s organization so it is important to understand what areas were qualified.
Exceptions might sound like a bad thing, but that isn’t always the case. The times that they indicate something bad is when they are severe enough to warrant an opinion modification.
These exceptions are disclosed in Section IV of the report and the auditor will outline what the exceptions were. When reading the report, understand what the exceptions were and then read the service organization’s response to these exceptions. The responses may outline what went wrong or what the organization is doing to resolve these issues.
Complementary User Entity and Subservice Organization Controls
Another aspect of the SOC report includes complementary user entity controls. These are controls that the service organization expects the readers of the report to have in place to achieve their own objectives. For example, the organization may have strong password parameters in place; however, this control is useless if their customers do not keep their passwords confidential. Therefore, a user entity control would bet that users are responsible for keeping login credentials secure and confidential.
When reading the report, understand the user entity’s responsibilities and make sure those controls are in place.
There are also complementary subservice organization controls. These are controls that the service organization relies on their vendor to perform certain duties to achieve their objectives.
For example, the service organization may state that physical access is restricted to key personnel. However, if they utilize a colocation center, they are relying on that center to restrict physical access. Therefore, a subservice organization control would be that this center is responsible for maintaining
When reading the report, understand what services are outsourced and to whom, as well as what is expected of these subservice organizations
Finally, don’t be afraid to ask questions. Whether that be to auditors about how to read a SOC report you’ve received or questions for the service organization about their SOC results.
Do You Feel More Confident About Tackling Your SOC Reports?
Contact our GBQ IT Services team to gain deeper insights into SOC reports regarding each service organization with whom you work. Our IT team offers you opportunities to discuss this topic and others with professionals who have a combined 50 years of IT, cyber, and assurance experience, delivering IT risk, cybersecurity, and productivity solutions.
To learn more about SOC engagement and reporting variations, we’re pleased to provide access to our recent CyberTrends webinar, The Ins and Outs of a SOC Examination.
Article written by:
Manager, Information Technology Services