Today’s businesses are increasingly relying on the expertise of at least one service organization to streamline their operations. It is crucial that each service organization ensures that their security controls aligns with those of their client, for the sake of data security.
The System and Organization Controls (SOC) report has become the standard metric for reviewing and articulating the services and internal control processes of a service organization for the benefit of the client, or user organization. These reports are invaluable to ensuring that user entities and service organizations stay on the same page in their shared goal in protecting the user organization’s data assets.
To truly be valuable for your organization, you must be able to understand the most important information within the SOC 1, SOC 2, SOC 3 or SOC for Cybersecurity report, but you may need some clarification as to just what the report conveys and how you can best interpret it.
1. Identify Who Issued the SOC Report.
This AICPA requires that all SOC reports be issued by an independent CPA firm. With each submitted report, check that their CPA license is up to date and that the firm has the appropriate information technology or information security certifications. This provides assurance that the firm undergoes peer review every three years to ensure that the firm is up to speed on its accounting and auditing practices at the time of your audit.
2. Determine the Type of SOC Report You Need to Interpret.
There are four SOC reports your organization may need to perform, and the first step toward a better understanding of the results is to determine exactly which report you are preparing to review and interpret:
The SOC 1 audit involves the user auditor’s review of the user entity’s financial statements to evaluate the effect of the controls at the service organization, according to the AICPA. Under SOC 1, there are two types of audits a CPA may perform: SOC 1 Type 1 and SOC 1 Type 2.
- Type I – This type of report focuses on a particular date, which is also known as a point-in-time report. A Type I report also includes a description of the service organization’s system. It also tests to the system to determine whether the controls are designed appropriately.
- Type II – Type II reports cover a period of time, which is most frequently set at 12 months. This type of report tests the operating effectiveness and design of key internal controls over the designated period of time.
The SOC 2 report focuses the controls at a service organization, relating to security, availability and processing integrity for the systems that the service organization uses to manage and process user’s data. The report serves to ensure the confidentiality and privacy of the information processed by these systems, according to the AICPA.
Additional information to look for in your SOC 2 report includes oversight of the service organization, vendor management programs, regulatory oversight, risk management processes, and internal regulatory oversight.
Similar to SOC 1, SOC 2 features two types of reports.
- Type I – This type of SOC 2 report is an analysis of whether the service organization’s controls were designed correctly. There is no official testing here, per se, but it offers overview of the controls as a point-in-time report to make sure the service organization is accomplishing its end goal.
- Type II – The Type II test is far more in-depth and provides more valuable insights. Here, the auditor tests the effectiveness of the controls. He or she examines how the controls really works and reviews samples to see how they function.
SOC 3 is designed to meet the user’s need for assurance regarding the controls at an organization related to security, availability, processing integrity, confidentiality or privacy. However, these are general reports that do not have the need to make it fully effective as a SOC 2 report. They are available for wide distribution.
SOC for Cybersecurity
As data breaches and other online threats increase constantly—and businesses increasingly rely on digital communications and transactions—there is more pressure to demonstrate due diligence in managing cybersecurity threats. SOC for Cybersecurity is a relatively new risk management reporting framework developed to assist organizations to communicate relevant information about the effectiveness of their risk management programs.
3. Identify the Scope of the SOC Report.
SOC 1 and SOC 2, in particular, provide clear scopes from which you may choose. With SOC 1, you will be looking at financial statements to determine the internal controls at an organization. Here, you can decide whether you need to read and interpret the details from a specific date, or dates, or you may choose to look at a specific period. With SOC 2 reports, you’ll need to identify which of the Trust Services Criteria are covered in the audit.
Additional scope parameters that may be included:
- Specific locations
- Certain date or timeframe
- Systems involved
- Responsible staff members
- Business applications and technology platforms involved
- Processes that focus on internal control over financial reporting
While many of these parameters are applicable to each type of SOC report, double-check that all the language corresponds to your specific report. Determining the scope will help make it easier to read and understand the report.
4. Review the Auditor’s Opinion of the SOC Report.
The SOC examination report contains an independent auditor’s opinion regarding the description of the service organization’s system and whether it is presented fairly. The auditor also provides an opinion on whether the controls in the service organization are suitably designed to ensure the security of the user entity. The auditor’s opinion is presented in four possible variations:
- Unqualified Opinion – This type of report is issued when the independent service auditor completely supports the findings, with no modifications.
- Qualified Opinion – Here, the auditor cannot deliver an unqualified opinion, but the qualified findings are not so severe that they warrant the issuance of an adverse opinion.
- Adverse Opinion – An adverse opinion is rendered when the auditor has come to the conclusion that the user entity should not rely on the vendor’s systems.
- Disclaimer Opinion – The auditor offers a disclaimer when they cannot express an official opinion because they could not obtain the necessary evidence required to establish their opinion.
To clarify, the best outcome for your business, as well as your relationship with your service organization, is to receive an unqualified opinion from their independent auditor. Any of the other opinion type should encourage you to dig deeper and evaluation the impact of any registered qualifications.
5. Make Note of Things that Need to be Improved.
The practitioner will highlight areas that require modifications and controls that could be improved in the CUECs, deviations and responses, and points of non-compliance.
The complementary user entity considerations (CUECs) are controls that your organization must implement. The SOC report will help you determine if those controls are applicable and whether you need to adopt and implement them to satisfy the CUECs.
Deviations and Responses
While you are seeking good results in a SOC report, you must also look at any shortcomings and deviations, as well as the possible impact of those deviations. If deviations threaten to negatively affect your business, you should work to mitigate or compensate for them.
Exceptions or Points of Non-Compliance
As you review each control objective of a SOC report or the designated Trust Services Criteria, pinpoint any references to exceptions that took place during testing. This portion of the report is crucial since it helps illuminate any non-compliance issues and how they may impact your data and systems.
How do You Evaluate a SOC Report?
If you are evaluating a SOC report performed on one of your organization’s vendors, or potential vendors, pay attention to the controls that have the most impact your business’s security as you review the report. Any controls that have an adverse or disclaimer opinion sited are clear points for concern. You must decide which of your vendor’s controls are critical and evaluate if there are any exceptions or compliance issues that could increase risk levels by working together.
What Should I Look for When Reviewing a SOC Report?
For a SOC audit performed on your organization, specifically, you should review the auditor’s opinion, CUECs, points of non-compliance, as well as deviations and responses.
SOC Report Meaning: Are You Confident at Interpreting Your Compliance Report?
If you need help understanding just what you are reading in your respective SOC reports, you are not alone. The I.S. Partners auditing team can help you pull out the most important details and build a corrective action plan for success. Call us at (215) 675-1400 or request a quote so we can get to work on reading and interpreting your latest SOC report.