As a follow-up to a blog post previously published by The Mako Group’s Chief Audit Executive, Shane O’Donnell, let’s dig a little deeper into what you should be reviewing when you receive your vendors’ SOC 1, SOC 2 or SOC 3 reports.
Each SOC (Service Organization Controls) report follows a basic outline. You will find the vendor’s management assertion, the independent service auditor’s report, the vendor’s description of its system, and a listing of controls tested. Below are some key points to focus on when reviewing your vendors’ SOC reports.
Who Issued the Report?
When noting who issued the report, there are two important factors to be considered. First, according to the AICPA, only CPA firms can issue SOC reports. A licensed CPA firm must undergo peer reviews at least every three years. A peer review includes a review of the firm’s accounting and auditing practices to ensure they are meeting AICPA standards.
While it is important to ensure that the firm issuing the SOC report is a licensed CPA firm, there is a second, yet equally important, point to be considered. Does the firm or individual issuing the report have information technology or information security certifications? It is important to understand that SOC reports are information security related audits. These are very different from the financial audits that CPA firms typically perform.
You can encourage your vendors to engage with a CPA firm that specializes in information security. Look for certifications, such as Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA), and Certified in Risk and Information Systems Control (CRISC), to name a few. These certifications are rigorous and demonstrate expert knowledge of cybersecurity and information security.
What Is the Auditor’s Opinion?
Within the SOC report, you will find an independent service auditor’s report. In this section, the auditor documents the overall opinion regarding the vendor’s system, including whether the system description was presented fairly, and whether the vendor’s controls are suitably designed and functioning as expected. The auditor’s opinion is the main reason for an SOC report, so it is important to understand the meanings of the different opinions.
There are four possible ways that the auditor can present the opinion:
- Unqualified: The auditor fully supports the findings, with no modifications.
- Qualified: The auditor cannot express an unqualified opinion; however, the issues are not pervasive.
- Adverse: The auditor believes that there are material and pervasive issues. Report readers should not rely on the vendor’s system.
- Disclaimer: The auditor is unable to express an opinion due to insufficient evidence, and the possible effects could be both material and pervasive.
The most important point to keep in mind is that you want an unqualified opinion. If any other type of opinion is found, you should also find a separate paragraph to describe the reasons for the opinion and evaluate the impact of the qualifications.
What was Included in the Audit?
Within the SOC report, the vendor will provide a description of the system in scope. Background information and a description of the software, people, procedures, and data will all be covered in the system description. Due to familiarity with your vendor’s systems and infrastructure, review this description closely to determine what they may have chosen to exclude from the audit. From there, you can determine if it is important to the security of your system and/or data.
Were Any Relevant Exceptions Noted?
Each type of SOC report will include the relevant exceptions noted during testing. This is arguably the most important element of a SOC report. You must decide which of your vendor’s controls are critical to your organization and evaluate if there are any exceptions noted in those critical areas. If you find exceptions and determine they are critical to the security of your organization’s data, you must determine the impact these will have to your organization’s security.