March 30, 2023
I Got a SOC 2 Report for My Vendor Management - What Now?
Do you know someone who got a new set of golf clubs only to have it end up in the closet because they didn’t quite understand the mechanics needed to find success? You can swing the club all day, but there is always the need to understand the principal elements that can bring that sense of value. Let’s face it, many have gotten a SOC 2 report and essentially put it in the closet. It was received from a service provider only to get filed away so a check can be placed on the vendor management program. But what do you do with it now that you’ve got it? What information should I be taking from the report? How can the SOC 2 report bring value to my work? Here are tips to make every SOC 2 audit report meaningful.
Quick History
It may still be challenging now, but more than 30 years ago, it was difficult to gain a confident understanding of a service provider’s performance in its service delivery. Add to that, a financial auditor needed enough assurance on the performance of the service provider’s internal controls and the impact on the end customer financial reporting. It wasn’t feasible for a financial auditor to audit the service provider. Something needed improvement, and that’s where the American Institute of Certified Public Accounts (AICPA) stepped in. In 1992, they developed an audit of controls for service providers called a SAS 70. Performed by certified public accountants (CPAs), the SAS 70 provided a method by which an independent audit could be performed of the service organization’s (service provider) internal controls that their customers’ financial auditors could rely upon.
Eventually, there was a realization that, (1) the SAS 70 was focused more on service organization’s internal controls over financial reporting and not as much on topics like security, and (2) the service organization would determine its own controls rather than compared to an established standard. So, the AICPA developed several standards that eventually gave birth to three SOC reports: SOC 1, SOC 2, and SOC 3.
- SOC 1: This is the closest to the original SAS 70 purpose. It uses an auditing standard to provide independent reports on a service organization’s internal controls that could affect their users’ (someone that has a need for the report) financial reporting. Which kind of user would find this report useful? An example would be customers of service organizations that provide loan servicing or process medical claims.
- SOC 2: The SOC 2 provides visibility into what a service organization is doing to ensure that its resources and services are meeting controls applicable to security, availability, processing integrity, confidentiality, or privacy requirements; known as trust services criteria. (AICPA- TSP Section 100.12)
- SOC 3: This report provides an examination similar to the SOC 2, but this report doesn’t offer much visibility in the service organization by comparison. The description of the system is likely much less, but you still get the auditor opinion.
SOC 2 Report Critical Parts
If you have a SOC 2 report from one of your service providers, these are the critical parts that you should pay attention to.
The Description of the System
This section is where the service organization describes, in narrative form, its infrastructure, software used, procedures, and data used to deliver services. Read this part to get a solid understanding of what they say they are doing to maintain a secure and appropriate level of service to you. Pay attention to:
- Subservice Organizations: Subservice organizations are outsourced vendors that may be integral in your service organization’s services to you. For instance, if your service organization states that they utilize an intrusion prevention system to monitor network and servers, it would be good to know if it’s actually an outsourced service provider that is providing that service to the service organization, which in turn, provides that service to you.
- Software: Look carefully at the software that may be listed as system components. Does the service organization use any products that you’ve heard in the news related to data breaches or vulnerabilities?
- Incidents: During the audit, the auditor and the service organization should have had a conversation about any significant service or security incidents during the time frame of the audit. If so, it should be summarized in this section.
The Scope- Trust Services Criteria
In the SOC 2 report, look for the auditor’s report that is likely in section 2 and titled, “Independent Service Auditor’s Report.” This has the word “scope” toward the beginning of the section. In this next paragraph, you’ll see the part that states, …system requirements were achieved based on the trust services criteria relevant to…, and then would be followed by one or more of the five trust services criteria above. That tells you that the scope of the audit was based on controls associated with those listed categories. (Reference AICPA- Illustrative Service Auditor’s SOC 2® Type 2 Report in Accordance with SSAE No. 21, 2022 for additional details.)
Type 1 or Type 2
If it’s a Type 1 report, the auditor will provide an opinion on two things:
- If the description of the service organization’s system fairly presents what was designed and in place during a specific period.
- If the controls in the description were suitably designed to achieve the service organization’s services based on the scoped trust services criteria.
If it’s a Type 2, the auditor will opine on a) and b) and add:
- If the controls were operating effectively through a defined period.
Opinion Options
So, when it comes to an auditor opinion within the report, what might you see? You may see the following:
- An Unqualified Opinion: This is a good thing. It means the auditor didn’t find any concerns in their testing. It will likely state something like, In our opinion, in all material respects, and then state the Type 1 and possible Type 2 components above. (AICPA. AT-C §205.63g) Be aware, that there may be some control testing deviations (failures) in the report, but not significant enough in the auditor’s professional judgment.
- A Qualified Opinion: Things could have gone better for the service organization. It means that the auditor has some concerns about the controls. This is usually indicated with the opinion section outlining the auditor’s reasons why to issue such an opinion and is followed by something like, In our opinion, except for the matter described in the preceding paragraph, … (AICPA. AT-C §205.73)
- An Adverse Opinion: Yikes, don’t want to see that! This means that the auditor had such a concern with either the number of control deviations, the pervasiveness of control failures, or other issues, that an opinion is not in the favor of all of the Type 1 or Type 2 components. Again, there will be a paragraph explaining why and then the components may read like (AICPA. AT-C §205.75):
- ...does not fairly present.
- ...were not suitably designed.
- ...did not operate effectively.
- A Disclaimer on Opinion: In these cases, the auditor didn’t get a description of the system to even develop a trustworthy scope for the audit or didn’t get the appropriate amount of access to information to be able to provide an opinion. So, after writing an explanation paragraph, the auditor writes something like, … scope of our work was not sufficient to enable us to express, and we do not express, an opinion. (AICPA. AT-C §205.80)
Testing of Controls and Results
This portion of the report provides detail on the specific controls the service organization has, to which trust services criterion it applies, how the auditor tested the control, and results of the test. It’s placed in a matrix format.
Other Important Parts and Notes
The Assertion Letter
This is typically section 1 of the SOC 2 report. It is the formal statement by the service organization management to assert about whether they meet the trust services criteria-- This is what we do and under these limits. These controls are suitably designed and were in place during this time.
Complementary User Entity Controls
Make sure you are familiar with the controls detailed as Complementary User Entity Controls (CUECs). These are the controls that the service organization expects its customers to have implemented to work in conjunction with its controls. For instance, if a service organization has a ticketing system, it is expected that the customer would protect access to the online ticketing system by only authorizing credentials to employees that need access. Mention of CUECs may be within the description of the system or as an attachment.
Other Information
Often, a SOC 2 report will have an added section toward the end (section 5). It may provide additional information on a significant business interruption that occurred after the audit period, provide management responses to control deviations, or additional information that service organization management believes is fundamental to the user’s understanding of the report.
Intended User
Does a service organization make the SOC 2 report available to just anyone? Likely, not. The AICPA has outlined circumstances on who should receive the report. It wants to limit the SOC 2 intended user to those that have enough knowledge and understanding of the services, internal controls, user responsibilities, and how it may interact with other parties. Basically, the SOC 2 report is intended to be limited to a service organization’s customer management, their auditors, regulators, and possibly extending to the customer’s customer.
SOC 2+
Occasionally, you’ll see a SOC 2+ [some other framework]. In these reports, the auditor will perform the SOC 2 audit, but the opinion will also address the service organization’s ability to meet the additional framework’s criteria or requirements. A good example of this is a SOC 2+ HIPAA, which shows how a service organization’s controls meet established Health Insurance Portability and Accountability Act criteria.
Go ahead. Get those SOC 2 reports that were put in the closet and dust them off. Take a good look at what they are telling you about your service provider. You’ll be glad you took the time to understand the level of service they are providing your company and appreciate that you’ve improved your insight on how to strengthen your vendor management program.
Authored By: Paco Diaz, CISA, GRCP, ITIL/F