Many organizations include the review of Service Organization Controls (SOC) examination reports in their annual vendor due diligence activities; however, most are unsure of what they should be looking for in the report. Determining what is relevant and knowing how to read a SOC examination report can help to ensure that organizations get the most value and assurance out of their review.
Determining the Type and Scope of the Report
The SOC report should first be reviewed to obtain information regarding the type and scope of the examination performed. The report can be a Statement on Standards for Attestation Engagements No. 16 (SSAE 16)/ Service Organization Controls No. 1 (SOC 1), Service Organization Controls No. 2 (SOC 2), or Service Organization Controls No. 3 (SOC 3). SOC reports can also be Type 1 or Type 2. The scope of the examination may vary depending on the control objectives or principles selected by the service organization and the existence of any key subservice providers.
Types of Reports
An SSAE 16/ SOC 1 examination is a report on controls at a service organization relevant to user entities’ internal control over financial reporting. These reports are specifically intended to help user entities and the Certified Public Accountants (CPAs) that audit the user entities’ financial statements in evaluating the effect of the service organization’s controls on the user entities’ financial statements.
A SOC 2 examination is a report on controls at a service organization relevant to the security, availability, and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems.
A SOC 3 examination is for users who do not have the need for, or the knowledge necessary to make effective use of, a SOC 2 report. SOC 3 reports do not include a description of the system or the detailed description of tests of controls and related test results that are included in SOC 2 reports. SOC 3 reports are not recommended for use in performing vendor due diligence activities.
SOC reports can be Type 1 or Type 2. A Type 1 report covers the suitability of the design of controls as of a point in time. A Type 2 report covers the suitability of the design and operating effectiveness of controls throughout a specified period, ranging from 6 to 12 months. A Type 2 report may provide the organization with greater assurance on the effectiveness of the service organizations’ internal controls. The period of coverage should be considered to ensure the report covers the desired time period and is current.
Scope of the Report
Organizations should determine whether the scope of the report appears adequate to meet their needs. The scope of the SSAE 16/ SOC 1 examination is based on the control objectives selected by the service organization. Most SSAE 16/ SOC 1 examination reports include coverage of the following areas: company organization and administration, customer servicing, computer operations, software change management, logical security, and physical security. The scope of SOC 2 and SOC 3 examinations is determined by the principles selected by the service organization. Each principle has a predetermined criteria.
The products and services addressed by the examination should be reviewed to ensure that the report is relevant to the organization and adequately covers the services used by the organization.
Key Areas to Review
After evaluating the relevancy and adequacy of the report, there are key areas of the SOC report that the organization should be sure to include in their review:
- The Opinion,
- The complementary user entity considerations (CUECs),
- And, deviations and responses.
The Opinion
A SOC examination report contains an Opinion on whether management’s description of the service organization’s system is presented fairly and whether the controls in the service organization’s system are suitably designed. A Type 2 report also contains an Opinion on whether the controls were operating effectively. There are four opinion variations that the service auditor can issue depending on the evaluation of management’s assertion: Unqualified, Qualified, Adverse and Disclaimer. If the opinion is anything other than unqualified, the organization should evaluate the cause and impact of the qualifications.
CUECs
CUECs are controls that need to be implemented by the organization. During the SOC report review, the organization should determine if the CUECs are applicable and if they have implemented controls to satisfy the recommended CEUCs.
Deviations and Responses
The report should be reviewed for any noted deviations. Organizations should determine the impact of any deviations and how they plan to mitigate or compensate for them. Management’s responses to deviations should be reviewed to help ensure that the service provider has sufficient plans to address identified deviations.
Nick Norton, MPAc is a Manager in Macpage’s Information Assurance Services group. Nick performs technology auditing in all areas of IT-related controls including IT department organization and administration, computer/daily operations, software change management, logical security and physical security. Nick has extensive experience with SOC Examinations, IT General Control Reviews, Agreed-Upon Procedures and Risk Assessments. Nick joined Macpage in 2010 and obtained the Certified Information Systems Auditor (CISA) designation in 2013. Nick received his Bachelor’s degree in business administration and his Master’s in Professional Accountancy (MPAc) from Bryant University.
For more information regarding SOC examination reports, please reach out to Nick at at (207)523-3335 or nnorton@macpage.com.