HOW TO REVIEW A SOC REPORT?
Can you imagine your business without Technology service provider today? We know the answer!!! However, technology service provider or Vendor due diligence is an important process that each company must run before deciding whether to engage with that vendor. Hence, reviewing the vendor’s system and company organizational controls (SOC) report could be part of this due diligence process.
A SOC audit report (the “report”) is a detailed document that provides assurance over service organization’s internal controls which were examined by an independent auditor during a SOC audit. The report provides assurance that your vendor has internal controls in place to protect your data, and that if those controls are operating effectively, they will mitigate some of the risk associated with using the vendor.
When a user entity receives a SOC report, the following main questions often arise:
- Who is the auditor?
- What category and Type of SOC examination were performed?
- What is the Auditor’s Opinion?
- What was included in the Audit?
- Were Any Relevant Exceptions Noted?
We will try to help you with explaining a few areas on these questions.
WHO IS THE AUDITOR?
There are two crucial factors to consider when reviewing who released the report. To begin with, only CPA firms are authorised to issue SOC reports as dictated by AICPA. Every three years, a licenced CPA firm must undergo peer reviews, which examines the firm’s accounting and auditing procedures to ensure they comply with AICPA guidelines.
Although it is critical to ensure that the SOC report is issued by a licenced CPA company, there is another, equally important aspect to keep in mind. Is the firm or individual issuing the report certified in information technology or information security? It is important to realise that SOC reports are information security audits, which is not the same as the financial audits typically performed by CPA firms.
You may ask your vendors to liaise with CPA firm with strong footprint in information security and other IT consulting. To support such background, you might need to check existence of one of the following certified people in CPA’s team: Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Certified Information Systems Auditor (CISA), and Certified in Risk and Information Systems Control (CRISC). These accreditations are comprehensive and showcase expert technical skills.
WHAT CATEGORY AND TYPE OF SOC EXAMINATION WERE PERFORMED?
A SOC 1 examination focuses on controls relevant to an audit of a service organization’s systems that has an impact on its customers’ financial statements. Readers of SOC 1 reports could be financial executives at a user organization, compliance officers, and financial auditors of the service organization.
A SOC 2 report focuses on the needs of a broad range of users who need information and assurance about controls at a service organization.
As outlined by AICPA’s Trusted Services Criteria (TSC), SOC 2 reports are based on 5 criteria:
A Type I Audit Report is point in time report.
- Examinations cover design of a service organization’s controls, but not the operating effectiveness.
- Reports are issued to organizations that have controls in place but have not yet audited
A Type II Audit Report covers a period instead of point in time:
- Audit covers the design and operating effectiveness of the internal controls over defined period.
- Provides reasonable assurance that the controls operated effectively to meet the service organization’s control objectives over the service commitments and system requirements during the period under review.
- AICPA guidance recommends that a report period cover a minimum of six months. Guidance also indicates that a Type II report which covers a period of less than six months is unlikely to be useful to user entities and their auditors.
The auditor provides overall opinion on whether the system description was presented fairly, and the vendor’s controls are properly designed and operating as intended. The main part for a SOC report is the auditor’s opinion therefore let’s discuss about it.
The auditor may present opinion in one of four ways:
The key thing to remember is that you need unqualified opinion. If some other form of opinion is discovered, a separate paragraph should be written to explain the reasons for the opinion and to assess the effect of the qualifications.
WHAT IS INCLUDED IN THE AUDITED REPORT?
The vendor will include a description of the system into the SOC report. The description of the system covers:
- background information;
- description of the software and people;
- procedures and data.
The reader of the report is encouraged to carefully read the report to see what has been left out of scope. So, you can assess how important it is for your system and data.
WERE ANY RELEVANT EXCEPTIONS NOTED?
The exceptions identified by audit testing will be listed in SOC report. This is arguably the most crucial aspect of the review process. The reader/user of the SOC report should be aware what controls are important to its business and assess if any exceptions have been noted in those areas. In case if the procedures where exceptions were noted are critical to the user’s organization then the user must assess an impact to the assets and operations.
Our team of IT audit professionals has broad experience in completing SOC attestation engagements for service organizations worldwide. If you need further information or assistance on SOC engagements, please contact us: firstname.lastname@example.org