In this guide you'll learn:

A SOC (System and Organization Controls) report is an independent audit report which is performed by a certified public accountant (CPA). A SOC report provides insight into an organization’s internal control environment.

What Is a SOC Report?

Key Differences

SOC Time Frame

Independent Service Auditor’s Report

SOC Sections

What Is a SOC Report?

Why Is a SOC Report Important?

Management’s Assertion Regarding the Effectiveness of Controls

Organization’s Description of Its System and Controls

Control Objectives, Activities and Tests of Controls

Other Information Provided

Conclusion

Venminder Reviewing and Understanding a Vendor's SOC Report

Download a PDF Version

Guide Contents

Key Differences

What Is a SOC Report?

Why Is a SOC Report Important?

SOC Time Frame

Conclusion

Independent Service Auditor’s Report

Management’s Assertion Regarding the Effectiveness of Controls

Organization’s Description of Its System and Controls

Control Objectives, Activities and Tests of Controls

Other Information Provided

SOC Sections

In this guide you'll learn:

Close

what will you learn?

Reviewing a SOC report helps organizations in the following ways:

Verifies the vendor has controls in place to protect their system

Confirms the controls in place are operating effectively and if there are any control exceptions (Type II)

Ensures independent testing of controls has been completed

Provides a detailed overview of the control environment supporting the product or service in scope of the audit

Assists greatly with the inherent risk and criticality assessment, due diligence and residual risk determination and ongoing monitoring phases of the vendor lifecycle and helps guarantee compliance with regulatory expectations

Key Differences

What Is a SOC Report?

Why Is a SOC Report Important?

SOC Time Frame

Conclusion

Independent Service Auditor’s Report

Management’s Assertion Regarding the Effectiveness of Controls

Organization’s Description of Its System and Controls

Control Objectives, Activities and Tests of Controls

Other Information Provided

SOC Sections

In this guide you'll learn:

Download a PDF Version

Understanding SOC 1, 2 and 3

SOC 1

Designed to review a vendor’s internal controls as they relate to your financial reporting, and provides a description of the vendor's system and control environment.

SOC 2

Examination of the vendor’s controls over one or more of the 5 Trust Services Criteria (security, availability, processing integrity, confidentiality and privacy) and provides a description of the vendor’s system and control environment.

SOC 3

Provides a description of the vendor’s system and control environment which comes with a seal of completion and the ability to publicly share the SOC 3 report. It's not as detailed, so a SOC 3 is typically only obtained in vendor vetting.

Covers audit controls as of a point in time, or otherwise described as a single date.

Type II

Covers audit controls as of a point in time, or otherwise described as a single date.

(for SOC 1 and SOC 2)

Type I

(for SOC 1 and SOC 2)

Covers controls that were in place and operating for a period of time. The Type II assessment is more rigorous, and controls are reviewed for operational effectiveness over a period of time.

Key Differences

What Is a SOC Report?

Why Is a SOC Report Important?

SOC Time Frame

Conclusion

Independent Service Auditor’s Report

Management’s Assertion Regarding the Effectiveness of Controls

Organization’s Description of Its System and Controls

Control Objectives, Activities and Tests of Controls

Other Information Provided

SOC Sections

In this guide you'll learn:

Download a PDF Version

SOC 1

SOC 2

SOC 3

Type I

Type II

Close

Close

Close

Close

Close

SOC Time Frame

Gap in Coverage

Should there be a gap in "coverage" for a SOC report, or an extended amount of time since the completion of the SOC audit, you should request a Bridge/Gap Letter.

The SOC report end date

Material changes in the internal control environment (if any)

A statement that the service organization isn't aware of any other material changes outside of what is listed in the bridge letter (if any)

A reminder that user organizations are responsible for following the complementary user entity controls-sometimes referred to as client control considerations or user control considerations

A request for user organizations to read the report

A disclaimer that the bridge letter isn't a replacement for the actual SOC report

A Bridge/Gap Letter should include:

Did you know?

Reporting Period

A SOC report can cover a period of time (Type II), which covers controls that were in place and operating during that time frame, typically six to twelve months; or a SOC report can cover a point in time (Type I), which audits controls on a specific date and includes a review of the suitability of those controls. You want to ensure the report is the most current available.

TYPE II REPORTS

For Type I reports, verify that they haven't had a Type II report performed, otherwise, request a new report annually. For Type II reports, once a SOC report is as old as the reporting period is long (plus three months), request additional information from your vendor.

Key Differences

What Is a SOC Report?

Why Is a SOC Report Important?

SOC Time Frame

Conclusion

Independent Service Auditor’s Report

Management’s Assertion Regarding the Effectiveness of Controls

Organization’s Description of Its System and Controls

Control Objectives, Activities and Tests of Controls

Other Information Provided

SOC Sections

In this guide you'll learn:

Download a PDF Version

A Bridge/Gap Letter should include

For Type I reports, verify that they haven't had a Type II report performed, otherwise, request a new report annually. For Type II reports, once a SOC report is as old as the reporting period is long (plus three months), request additional information from your vendor.

A Bridge/Gap Letter should include:

Close

Section 1

Independent Service Auditor’s Report

The auditor will notate their overall finding with an opinion of the control environment. Generally, there are four types of opinions you will see in a SOC report: unqualified, qualified, disclaimer and adverse.

Auditor’s Opinion

unqualified opinion

An unqualified opinion, though sounds bad, is the best news you can hear when discussing SOC report opinions. This should be the standard expectation. You won’t necessarily see the words “unqualified opinion” within the report anywhere because it’s the baseline state, or normal state of a SOC report. When the auditor feels that the vendor’s description fairly represents the system, controls were suitably designed and, in the case of Type II reports, the controls operated effectively, the report is considered unqualified.

A qualified opinion is where the vendor had at least one control objective that wasn’t implemented or operating effectively. In other words, a qualified report indicates that issues identified in the report were significant enough to deem one or more controls ineffective.

Qualified opinion

A disclaimer is used when there isn’t any evidence to prove or disprove that a control wasn’t being performed or was in place. This happens often on controls that surround rare occurrences, such as communicating incidents or breaches to clients.

Disclaimer

An adverse opinion means that the vendor held back or modified information needed to verify controls were either in place or operating effectively. These are very rare, but a red flag.

adverse opinion

Be aware that the order of Section 1 and Section 2 may be flipped in some SOC reports.

Disclaimer:

SOC 1, SOC 2, SOC 3

Reports This Is Found In:

Key Differences

What Is a SOC Report?

Why Is a SOC Report Important?

SOC Time Frame

Conclusion

Independent Service Auditor’s Report

Management’s Assertion Regarding the Effectiveness of Controls

Organization’s Description of Its System and Controls

Control Objectives, Activities and Tests of Controls

Other Information Provided

SOC Sections

In this guide you'll learn:

Download a PDF Version

Qualified Opinion

An adverse opinion means that the vendor held back or modified information needed to verify controls were either in place or operating effectively. These are very rare, but a red flag.

Adverse Opinion

An unqualified opinion, though sounds bad, is the best news you can hear when discussing SOC report opinions. This should be the standard expectation. You won’t necessarily see the words “unqualified opinion” within the report anywhere because it’s the baseline state, or normal state of a SOC report. When the auditor feels that the vendor’s description fairly represents the system, controls were suitably designed and, in the case of Type II reports, the controls operated effectively, the report is considered unqualified.

Unqualified Opinion

A disclaimer is used when there isn’t any evidence to prove or disprove that a control wasn’t being performed or was in place. This happens often on controls that surround rare occurrences, such as communicating incidents or breaches to clients.

Disclaimer

Be aware that the order of Section 1 and Section 2 may be flipped in some SOC reports.

Disclaimer:

Close

Close

Close

Close

Section 2

Management’s Assertion Regarding the Effectiveness of Controls

Management's written assertion should describe the service organization’s system to help the auditor perform the upcoming audit with certain reasonable assumptions in mind.

Written Assertion of the Vendor’s Management

Be aware that the order of Section 1 and Section 2 may be flipped in some SOC reports.

Disclaimer:

SOC 1 SOC 2 SOC 3

Reports This Is Found In:

Primary clauses to be included in the written assertion

That management's description of the service organization's "system" fairly presents the service organization's system that was designed and implemented during the reporting period.

1

2

Management must "assert" that the control objectives stated in the description of the organization's system were suitably designed to achieve those control objectives.

3

Defining the criteria used to effectively make these assertions and, for a Type II report, that the controls were consistently applied.

Key Differences

What Is a SOC Report?

Why Is a SOC Report Important?

SOC Time Frame

Conclusion

Independent Service Auditor’s Report

Management’s Assertion Regarding the Effectiveness of Controls

Organization’s Description of Its System and Controls

Control Objectives, Activities and Tests of Controls

Other Information Provided

SOC Sections

In this guide you'll learn:

Download a PDF Version

Section 2

SOC 1, SOC 2, SOC 3

Reports This Is Found In:

Primary clauses to be included in the written assertion:

2

3

Be aware that the order of Section 1 and Section 2 may be flipped in some SOC reports.

Disclaimer:

Close

Section 3

Organization’s Description of Its System and Controls

This gives you more information about your vendor. It may include when the company was founded, their location, executive and senior management structure and more. While reviewing this part of a report, you’llwant to make sure the following pieces ofinformation are included:

Organization & Administration

SOC 1 SOC 2 SOC 3

Reports This Is Found In:

Many vendors have several SOC reports for different products and services and they could all be different. You may need more than one report for the same product.

Products and Services

information System

Products and Services

Information Technology Outsourcing Payment Processing Call Center Support

Examples:

Understanding what type of information your vendor processes and how they protect it is critical. Your vendor should provide information regarding how they secure servers, networks and computer systems.

The Information System

Server SecurityNetwork Security Access Management Vulnerability Management System Management

Be sure to look at the following areas:

Understand the access controls, environment and the monitoring of this infrastructure. Data center protections are crucial to protecting information. Look for how your vendor manages their data center and ensures their infrastructure is resilient and available at all times.

Data Center Information

Physical Access Controls Environmental Controls Monitoring Controls

Review:

Data Center Information

Tone from the top – Board of director and executive leadership support of risk management Security training and policy acknowledgement

These are the controls the vendor relies on you – the user entity – to implement in order to achieve the vendor’s control objectives. Individual CUECs vary greatly depending on the SOC audit report, service organization and industry. CUECs are critical to understand asthey outline what you, the user entityusing the product or service, must do toensure the control objectives areeffective. It’s putting someresponsibility on your organization.

Complementary User Entity Controls (CUEC)

User entities are responsible for controls to provide reasonable assurance that output reports are reviewed by appropriate individuals for completeness and accuracy.

Examples of what a CUEC could say:

User entities are responsible for implementing authorization policies and procedures to ensure transactions are appropriately authorized and are secure, timely and complete.

Third-party risk management Subservice organizations (aka your fourth parties)

Key Differences

What Is a SOC Report?

Why Is a SOC Report Important?

SOC Time Frame

Conclusion

Independent Service Auditor’s Report

Management’s Assertion Regarding the Effectiveness of Controls

Organization’s Description of Its System and Controls

Control Objectives, Activities and Tests of Controls

Other Information Provided

SOC Sections

In this guide you'll learn:

Download a PDF Version

Section 3

READ MORE

Complementary User Entity Controls (CUEC)

READ MORE

SOC 1, SOC 2, SOC 3

Reports This Is Found In:

Many vendors have several SOC reports for different products and services and they could all be different. You may need more than one report for the same product.

Products and Services

Information Technology Outsourcing Payment Processing Call Center Support

Examples:

Close

Close

Understand the access controls, environment and the monitoring of this infrastructure. Data center protections are crucial to protecting information. Look for how your vendor manages their data center and ensures their infrastructure is resilient and available at all times.

Data Center Information

Physical Access Controls Environmental Controls Monitoring Controls

Review:

Close

Understanding what type of information your vendor processes and how they protect it is critical. Your vendor should provide information regarding how they secure servers, networks and computer systems.

The Information System

Server Security Network Security Access Management Vulnerability Management System Management

Be sure to look at the following areas:

Close

While reviewing this part of a report, you’ll want to make sure the following pieces of information are included:

Close

CUECs are critical to understand as they outline what you, the user entity using the product or service, must do to ensure the control objectives are effective. It’s putting some responsibility on your organization.

Examples of what a CUEC could say:

Section 4

Control Objectives, Activities and Tests of Controls

This is where the audit firm can verify and/or test the controls in place and determine if they‘re in place and operating effectively (Type II). Identifying audit findings as well as how management responded to those findings are important tools in determining whether the vendor can provide you the service they’re contracted to provide.

Examination of Control Objectives and Activities

SOC 1 SOC 2

Reports This Is Found In:

In 2019, the COSO 2013 Principles were applied to SOC 2 audits making control requirements more specific. The incorporation of COSO 2013 often overlaps Trust Services Criteria and build upon one another so it's important to consider them during your SOC review. There are 17 principles falling under 5 main components: Control Environment, Risk Assessment, Control Objectives, Information and Communication and Monitoring.

Applicable Trust Services Criteria

Does the vendor have an established code of ethics?

Think critically as you review the principles and ask yourself questions like the following:

1

Does the vendor make governing policies available to employees?

2

Did the auditors note any exceptions during during control testing?

3

Does the vendor maintain an incident response program?

4

Does the board of directors maintain independence and review the actions of management and operational staff?

5

Review the COSO Principles

SOC 2

Reports This Is Found In:

Key Differences

What Is a SOC Report?

Why Is a SOC Report Important?

SOC Time Frame

Conclusion

Independent Service Auditor’s Report

Management’s Assertion Regarding the Effectiveness of Controls

Organization’s Description of Its System and Controls

Control Objectives, Activities and Tests of Controls

Other Information Provided

SOC Sections

In this guide you'll learn:

Download a PDF Version

Section 4

SOC 1, SOC 2

Reports This Is Found In:

READ MORE

Close

The incorporation of COSO 2013 often overlaps Trust Services Criteria and build upon one another so it's important to consider them during your SOC review. There are 17 principles falling under 5 main components: Control Environment, Risk Assessment, Control Objectives, Information and Communication and Monitoring.

Think critically as you review the principles and ask yourself questions like the following:

2

3

4

5

SOC 1, SOC 2

Reports This Is Found In:

Section 5

Other Information Provided

This section is unaudited and provides the vendor an area to share additional information related to the control environment.

Additional Vendor Information

Case by Case Basis

Reports This Is Found In:

Management’s response to exceptions Other details about their control environment

Common examples are:

Venminder Reviewing and Understanding a Vendor's SOC Report

Venminder Reviewing and Understanding a Vendor's SOC Report

Key Differences

What Is a SOC Report?

Why Is a SOC Report Important?

SOC Time Frame

Conclusion

Independent Service Auditor’s Report

Management’s Assertion Regarding the Effectiveness of Controls

Organization’s Description of Its System and Controls

Control Objectives, Activities and Tests of Controls

Other Information Provided

SOC Sections

In this guide you'll learn:

Download a PDF Version

Section 5

Case by Case Basis

Reports This Is Found In:

Venminder Reviewing and Understanding a Vendor's SOC Report

SOC reports are a great due diligence step when reviewing a vendor as they’ll tell you about their internal control environment and how well – or not well – that environment is operating.

Reviewing vendor SOC reports is an integral component of mitigating and reducing vendor risk.

Key Differences

What Is a SOC Report?

Why Is a SOC Report Important?

SOC Time Frame

Conclusion

Independent Service Auditor’s Report

Management’s Assertion Regarding the Effectiveness of Controls

Organization’s Description of Its System and Controls

Control Objectives, Activities and Tests of Controls

Other Information Provided

SOC Sections

In this guide you'll learn:

Download a PDF Version