Most new-age businesses rely on various service organizations to make their operations efficient and organized. While service organizations do an excellent job in streamlining business workflow for clients, it is equally important for them to ensure the right degree of data security. Especially in the age of remote and hybrid work, businesses would essentially want to monitor their vendors. A reliable time-tested method is to review the vendor SOC report created by a third party.

A System and Organization Controls (SOC) report is an attestation that validates a service organization’s internal controls. An independent auditor conducts the SOC audit and examines the controls in an organization based on the type of the report needed: Type 1 which focuses on the design of controls, tested at a point in time, and Type 2, which additionally captures the operating effectiveness of the controls during a specific period.

Why is the SOC report so important?

SOC being a global compliance standard proposed by AICPA, enables trust and transparency between the service organizations and the stakeholders of user entities. The comprehensive compliance audit helps businesses identify and address any risks and establish effective controls to avoid and mitigate such risks. SOC reports typically get accessed by the following stakeholders:

• Senior leadership
• Audit committee
• Boards of Directors
• Customers
• Audit teams
• Compliance teams
• Security teams

What are the different categories of SOC reports?

There are 3 types of SOC reports available currently. Here’s a brief summary that will help you figure out which one would you need from the vendor:

• SOC 1 – This report is aimed at providing assurance related to internal control over financial reporting.
• SOC 2 – This report examines the internal controls for information security through the lens of security, confidentiality, availability, processing integrity, and privacy of data
• SOC 3 – A SOC 3 report is meant to be released publicly. It contains a high-level view of SOC 2 and excludes the details of the auditor’s testing methodology or results.

For the purpose of this article, we will be focussing on SOC 2 reports.

What are the key steps to review a vendor SOC 2 report?

You can request the vendors for their SOC 2 reports. For some vendors, the SOC 2 reports are readily available on their website, which needs to be accessed by logging in. We will discuss a step-by-step approach to review the report comprehensively and effectively so that you leave no stones unturned. Let’s get started!

1. Find out who issued the report
   Before we get into the compliance verification, we need to review a few basic parameters. It is vital to find out who issued the report and when it was issued to prevent any sort of complications in the future. While reviewing who issued the SOC report, verify the following two primary aspects of the auditor’s firm:
   1. As per the guidelines of AICPA, a SOC 2 audit report can only be issued by a licensed CPA (Certified Public Accountant) firm.
   2. SOC 2 being an information security-related audit, it is important to verify if the CPA firm has information technology or information security certifications or not.
2. Identify when the report was issued
   Check for when the report was issued and the period of time the vendor SOC 2 report covers. Additionally, also make sure that the report is the most recent version of the SOC audit.
3. Identify the scope of the SOC report
   For reviewing SOC 2 reports, you need to identify the Trust Services Criteria examined in the audit. A few more scope parameters that can be included in reviewing the vendor SOC report are:
   1. Systems involved
   2. Responsible participants (staff)
   3. Specific dates or timeframe
   4. Certain locations
   5. Software Tools and technologies utilized
4. Review the auditor’s opinion of the vendor SOC report
   It’s time for the most critical step – reviewing the auditor’s opinion. It is basically a brief document describing the service organization’s systems and whether or not it’s presented genuinely. The auditor’s opinion also throws light on the security levels offered by the organization and if it’s protecting user entities efficiently. Here are the four types of opinions, one of which would have been issued by the auditor:
   1. Unqualified Opinion – The service auditor found the system’s description to be fair and accurate, and the controls were effective throughout the specified time period. The auditor completely supports the findings without suggesting any modifications.
   2. Qualified Opinion – The auditor couldn’t deliver an unqualified opinion in this case, because some controls failed to operate effectively. However, the system description and most of the controls are accurately presented and are working effectively. The ineffective controls are described by the auditor. It should be noted that the qualified results are not so severe that they lead to the issuance of an adverse opinion.
   3. Adverse Opinion – Adverse opinion is issued when the auditor finds out that the service organization systems fail to meet one or more of the Trust Services Criteria (TSCs) in the scope of the SOC 2 audit. These failures are detailed in the auditor’s opinion.
   4. Disclaimer of Opinion – The service auditor states that an official opinion could not be expressed because of insufficient data and evidence presented to them.

What is included in the SOC 2 report?

Additionally in a SOC 2 report, the vendor also provides a description of the system in scope. The description consists of information about:

1. Software
2. People
3. Procedures
4. Data

Review the system’s description deeply to find out which functionalities or characteristics the service organization has chosen to exclude from the audit. It will help you determine if there exist any potential security concerns for your system or data.

How do you evaluate a SOC 2 report?

While evaluating a vendor SOC report, pay close attention to the controls that will impact your business both related to the security and privacy of users.

If the audit opinion highlights any control and classifies them as ‘adverse’ or ‘disclaimer’, it is clearly a sign of concern. You need to examine the vendor’s controls that are critical and find out if there exist any compliance or potential security concerns.

At last, check for exceptions or issues that could further magnify the risk by working together.

Scrut Automation is a one-stop shop for compliance. Our software provides the fastest solution for achieving and maintaining infosec compliance, making it an ideal choice for busy startups. Schedule your demo today to see how it works.

Scrut Automation is an innovative and radically simple governance, risk, and compliance automation platform for growing startups and mid-market enterprises. With Scrut, Compliance teams can reduce ~70% of their manual effort in continuously maintaining compliance towards SOC 2, ISO 27001, GDPR, PCI DSS, HIPAA, and CCPA. Schedule your demo today to see how it works.