Understanding the Key Components of a SOC2 Report
By Ama Boateng, ERMProtect IT Security Consultant
Businesses must take a risk-based approach when considering doing business with a third-party service provider who will handle their confidential data. This means that they must carefully assess any potential risks that the third party may introduce to the organization and prioritize the related controls, policies, and procedures. As part of the due diligence analysis, organizations must request and thoroughly review attestation reports such as SOC 2 audit reports from their critical vendors.
A SOC 2 audit report evaluates business- and technology-related controls and other safeguards employed by third-party service providers, including cloud service providers, and any business associates that provide services used to initiate, process, report, and manage data. Although every SOC 2 audit is different, the reports follow a basic outline. In each report, you will find the vendor’s management assertion, the independent auditor’s report, the vendor’s description of its system, and a listing of controls tested. Below are some key points to focus on when reviewing your vendors’ SOC reports.
Issuer of the Report
Not all auditors are qualified to issue SOC 2 reports, so it is important to ensure that the auditor issuing the report is a reputable firm. One way to confirm is to search for the firm on the AICPA’s website. According to the Association of Institute of Certified Professional Accountants (AICPA), only CPA firms can issue SOC reports. A licensed CPA firm must undergo peer reviews at least every three years. A peer review includes a review of the firm’s accounting and auditing practices to ensure they are meeting AICPA standards.
Additionally, it is important to ensure that the firm or individual issuing the report has information technology or information security certifications. SOC 2 reports are information-security-related audits, which are different from the financial audits that CPA firms typically perform. The issuer of the report must possess certifications that demonstrate expert knowledge of cybersecurity and information security. Certifications, such as Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA), and Certified in Risk and Information Systems Control (CRISC), etc. affirm the issuer’s specialized knowledge in information security.
The time period of the report should be reviewed to ensure it covers the needs of your business. Some third-party providers may try to pass off old reports as current reports. It is important to make sure you are provided with the current report. Understand that reporting periods vary and often do not cover full calendar years. For example, a report may have a coverage date of July 1, 2020, through June 30, 2021. If there is a gap between the report and the time period you require for your review, you can obtain what is called a bridge letter. The bridge letter, which is provided by the third-party providers, should assure your organization that there have been no significant changes to their controls environment that could adversely impact the conclusions reached in their most recently completed SOC examination.
Please note that there are 2 types of a SOC 2 report (Type 1 and Type 2). The type of report you are reviewing could impact the period of coverage of the report. In a Type 1 audit, the report describes the design effectiveness of internal controls as of a specific date. A Type 2 audit report addresses the design - and tests the effectiveness - of the controls over a period of time, which is most often six to twelve months. If the report timing does not provide you with the coverage you require, ask the third-party provider about it.
Description of System and Services
Within the SOC report, the third-party provider will describe the system and services in scope. Background information and a description of the software, people, procedures, and data will all be covered in the system description. It is critical that you review this description closely to gain an overall understanding of the services that the vendor is offering and the infrastructure that supports it. From there, you can determine if it is important to the security of your system and/or data. The description is typically organized into the following sections:
- Overview of the Company, Products, and Services Delivered - Does the report address the products and services you’ve contracted for?
- Service Commitments and System Requirements – What is the third-party service provider promising its users with respect to the security of systems and data? Which of the 5 Trust Services Criteria (privacy, security, confidentiality, availability, and integrity of data) are covered in the report? Remember Some, but not all, of the Trust Services may have been in scope for the SOC2 audit.
- Scope and boundaries of the system – Describes the components (infrastructure, software, people, data, procedures) that each relates to the services offered to the customers or users.
- Complementary Sub-Service Organization Controls – What controls are managed by sub-service organizations that provide a key component of the system to the vendor’s service organization?
- Complementary User Entity Controls – What controls does the third-party service provider expect you, the user of the products or services, to have in place in order for the vendor’s controls to operate effectively?
The auditor’s opinion expresses the overall evaluation of the vendor’s system, including whether the system description was presented fairly, and whether the vendor’s controls are suitably designed and functioning as expected. It is important to fully understand the opinion expressed by the auditor so your organization can evaluate how any identified issues may impact your reliance on the report.
There are four opinions that an auditor can present:
- Unqualified: The auditor fully supports the findings, with no modifications.
- Qualified: The auditor cannot express an unqualified opinion; however, the issues are not pervasive.
- Adverse: The auditor believes that there are material and pervasive issues. Report readers should not rely on the vendor’s system.
- Disclaimer: The auditor is unable to express an opinion due to insufficient evidence, and the possible effects could be both material and pervasive.
If any other type of opinion is found beside an unqualified opinion, you should also find a separate paragraph to describe the reasons for the opinion and evaluate the impact of the qualifications.
An important element of a SOC report lists the relevant exceptions noted during testing. If there are any exceptions noted, that means the controls may not have been operating effectively during the audit period. You must decide which of your vendor’s controls are critical to your organization and evaluate if there are any exceptions noted in those critical areas. Depending on the nature of the exceptions, you may want to inquire about what efforts management has undertaken to address the cause of the exceptions. You should analyze their response to make sure it is adequate based on your organization’s risk tolerance.
Get a curated briefing of the week's biggest cyber news every Friday.
Turn your employees into a human firewall with our innovative Security Awareness Training.
Our e-learning modules take the boring out of security training.