This article was featured in the Sept/Oct 2017 Nebraska Banker Magazine.
A SOC report is one of the most valuable due diligence documents you can obtain from your vendors. A SOC report describes a vendor's systems and indicates if those systems are designed to protect you, as a user. While the first step in obtaining a SOC report from your vendor is fairly simple, the second step involves reviewing the report, which requires a bit more effort.
This article will highlight the basics of reviewing a SOC report. SOC reports have a fantastic structure. You can find most of the information you need in the brief Independent Service Auditors Report section of the document.
To determine the report type, you must first determine whether the report is a SOC 1, SOC 2, or SOC 3. A SOC 1 report addresses internal controls, as pointed out by the service provider. A SOC 2 report addresses the five Trust Services Criteria. Larger service organizations often provide SOC 2 reports, as they are much more complex, expensive, and invasive engagements. A SOC 3 report is a SOC 2 report without any included results. SOC 3 reports are typically used for marketing purposes.
Second, you must determine whether the report is a Type 1 or a Type 2. A Type 1 report focuses solely on the description of the vendor's controls and the suitability of each control's design to achieve the control objectives. A Type 2 report additionally includes an auditor's opinion on the operating effectiveness of the controls to achieve the control objectives. Though the Type is typically identified in an obvious way, you can also determine the Type based on the timeframe. Type 1 engagements have a single "as-of" date, whereas Type 2 engagements have a timeframe.
SOC reports are valuable for monitoring a service organization's stability and security. However, it is important to consider the service you receive from the vendor and ensure the service you use, or plan to use, is included in the reported audit engagement. The Independent Service Auditors Report section should identify all assessed services.
Complementary User Entity Controls
Complementary user entity controls are controls the service provider assumes you, as the client, will implement to complete the security. See the Scope section to determine if there are any complementary user entity controls. If complementary user entity controls exist, proceed to the section titled Description of Controls (or similar) for a list. Document the list in your review and ensure your bank has implemented the assumed controls.
Subservice organizations are any organizations the vendor relies on to provide services to their clients. See the Scope section to determine if any subservice organizations or service providers are identified. If subservice organizations exist, proceed to the section titled Management's Assertion (or similar) for a list of subservice organizations.
Limitations include anything that could limit the ability for the auditor to document or test a control, such as an area that could not be tested at the time. See the Limitations section to determine if there were any limitations present during the examination.
The auditor's opinion should assert that the service organization's controls are (1) described fairly, (2) designed effectively, and for Type 2 reports (3) operating effectively over a specified period of time. This wording is standardized in all SOC reports. See the Opinion section to review the auditor's judgment. If any significant exceptions exist, document the exceptions in your review.
Type 2 SOC reports include a section called Test Results (or similar) to identify any exceptions. The auditor's opinion should identify any significant issues. The test results, however, identify all issues, even if they were not considered significant enough for the auditor to highlight. See the Results column of the Test Results section for exceptions. Each noted exception should be considered a weakness for the control.
Document these seven concepts on each SOC report review to help you ensure your relationship with a vendor is or would be a beneficial relationship for your bank. By recognizing and evaluating a vendor's weaknesses in this way, you can help ensure any relationship between your bank and the vendor is as strong and secure as possible.