Listen to: "Try These Tips to Improve Your Reading and Understanding of SOC 1 and SOC 2 Reports"
Like many budding, growing and fully mature organizations today, your business probably engages one or more—possibly several—service organizations. Also sometimes called third party vendors, service organizations are essential in helping you scale back on secondary—yet still completely essential to your operations—business functions to focus on your core vision and mission in providing a product or service to loyal customers.
Businesses typically outsource services related to accounting and finance, payroll, information technology and cloud services, virtual assistance, marketing, and logistics. Companies like your own benefit greatly from these highly specialized services that save your business money since you do not need to invest in specific infrastructure, hiring and training, and ongoing operations. However, this type of highly convenient business relationship cannot work smoothly in the long-term without checks and balances. Entrusting your valuable data—whether related to customers, employees, internal operations or intellectual property—to a third party company without putting proper accountability practices firmly in place is begging for trouble.
A SOC 1 or SOC 2 report provides an upfront means of building a stronger relationship with each service organization by setting standards, or measurable controls, for their organization. Once the service organization determines their set of baseline controls, they will be held to them throughout the duration of your engagement, thanks to performing regular SOC 1 and SOC 2 audits, with SOC 1 focusing on financial statements and SOC 2 focusing on operational controls.
An informative SOC 1 or SOC 2 report that sheds light on the service organization’s controls is critical to the health of your business, while also fostering trust and good will between your business and the service organization.
The most important aspect of all in this important process is your knowing how to read to gather the most important information from your SOC 1 or SOC 2 report, but you may need some clarification as to just what the report conveys and how you can best interpret it.
We have come up with some key considerations, tips and questions to help you get the most out of each SOC 1 and SOC 2 report for your business (user entity).
Who Issued the SOC 1 or SOC 2 Report?
Engaging an independent auditing firm that issues the SOC 1 or SOC 2 report upon completion of the audit for the service organization is one of the most important aspects of SOC reporting. “Independent” is the key term here, meaning that the audit is conducted by an impartial third party, as opposed to an internal auditing group or an IT security group within the service organization that may hold biases for the organization.
This key standard to reporting was set forth by the AICPA so that all SOC reports can only be issued by CPA firms. With this directed impartiality and professionalism, the SOC report in question increases in value, as your own clients and stakeholders will put greater value in an objectively performed audit and resulting report.
With each submitted report, check to see that the CPA firm has appropriate and updated licensing, which provides assurance that the firm undergoes peer review every three years to ensure that the firm is up to speed on its accounting and auditing practices at the time of your audit.
Keeping in mind that the SOC 1 and SOC 2 audits and reports both deal with information technology at their core, it is fair to your service organization representative whether the CPA or CPA firm has the appropriate information technology or information security certifications. It is easy for user entities to confuse a SOC 1 audit with traditional financial audits, but again, they focus on the information security infrastructure of the service organization, as opposed to having anything to do with actual finances.
It is not unreasonable to request that your service organization select a CPA firm that specializes in information security for SOC 1 and SOC 2 audits to streamline this part of the audit in the long-term.
Review the Independent Auditor’s Opinion for Important Details for a SOC 1 or SOC 2 Report
The report for SOC 1 or SOC 2 must contain an independent service auditor’s report, which states his or her opinion pertaining to the description of the vendor’s operating system and internal controls. The independent auditor’s report must state whether the system was presented fairly and that the vendor’s controls are suitably designed to securely accommodate the user entity’s data.
As you review the report, pay close attention to the service organization’s controls that impact your business’s security.
Following are four possible variations that the independent auditor may deliver his or her opinion:
An Unqualified Opinion.
This type of report is issued when the independent service auditor completely supports the findings, with no modifications.
A Qualified Opinion.
Here, the auditor cannot deliver an unqualified opinion, but the qualified findings are not so severe that they warrant the issuance of an adverse opinion.
An Adverse Opinion.
An adverse opinion is rendered when the auditor has come to the conclusion that the user entity should not rely on the vendor’s systems.
A Disclaimer Opinion.
The auditor offers a disclaimer when they cannot express an official opinion because they could not obtain the necessary evidence required to establish their opinion.
To clarify, the best outcome for your business, as well as your relationship with your service organization, is to receive an unqualified opinion from their independent auditor. Any of the other opinion type should encourage you to dig deeper and evaluation the impact of any registered qualifications.
What Type of SOC 1 or SOC 2 Test Was Performed and What Was Covered?
The type of test performed for SOC 1 or SOC 2 is one of the most critical things to look for when reading a report. Both SOC 1 and SOC 2 audits feature two types of testing that offer different information and value.
SOC 1 Report Types
This type of report focuses on a particular date, which is also known as a point-in-time report. A Type I report also includes a description of the service organization’s system. It also tests to the system to determine whether the controls are designed appropriately.
Type II reports cover a period of time, which is most frequently set at 12 months. This type of report tests the operating effectiveness and design of key internal controls over the designated period of time.
SOC 2 Report Types
This type of SOC 2 report is an analysis of whether the service organization’s controls were designed correctly. There is no official testing here, per se, but it offers overview of the controls as a point-in-time report to make sure the service organization is accomplishing its end goal.
The Type II test is far more in-depth and provides more valuable insights. Here, the auditor tests the effectiveness of the controls. He or she examines how the controls really works and reviews samples to see how they function.
What Was the Scope of the SOC 1 or SOC 2 Audit?
The vendor decides the scope of the SOC 1 or SOC 2 audit. Here, the vendor provides a description of the system, including details about the people, procedures, data and software within the service organization’s scope environment. Since you are already familiar with your vendor’s infrastructure and systems, you can understand and gauge anything that the vendor has excluded from the scope of the audit. With that information, you can determine whether any omissions have any importance regarding the security of your data and system.
Additionally, with SOC 2 reports, it is important to determine which of the Trust Services Criteria that the vendor chose to audit, which may include security, availability, processing integrity, confidentiality and privacy.
Review and Analyze Any Exceptions or Non-Compliance in the SOC 1 or SOC 2 Report
As you review each control objective of a SOC 1 report or the designated Trust Services Criteria category for a SOC 2 report, pinpoint any references to exceptions that took place during testing. This portion of the report is crucial since it helps illuminate any non-compliance issues and how they may impact your data and systems.
Do You Need Additional Help Understanding SOC 1 and SOC 2 Reports?
Are you struggling to evaluate your vendors’ compliance efforts? Do you feel like you are both missing something that could improve their compliance and the security of your system and data? You may just need a little more help reading and breaking down your SOC 1 or SOC 2 report. Our I.S. Partners, LLC. team is here to help.