Part 3 of 3: How to Review SOC Reports for More Business Value
By Zachary Ugol, Risk Management Consultant
We have been discussing System and Organization Controls (SOC) reports and how they can be a used to establish and maintain trust between service providers and their customers. In our first blog, we covered a basic understanding of the benefits of SOC reporting. In our second blog, we covered the various kinds and types of SOC reports as well as how they are used to support compliance requirements. In this blog, we will tackle one of the most important questions: What information is most important when reviewing a SOC report?
What information is significant in a SOC report (SOC 1, SOC 2, SOC 3, etc.)?
A common challenge with SOC reports is a lack of understanding around how to write (for service providers) and to interpret (for customers) these reports. As these reports have been developed and are governed by the AICPA, the individuals with the most experience around SOC reports are the CPAs who produce them, rather than the service providers and customers who use them.
Larger organizations have utilized these reports since their inception, however as the risks around data security and privacy increase, there is an increasing pressure among small to mid-size organizations to provide these reports.
Let’s start by highlighting and defining a few key terms:
- Section 4 – Auditor’s Testing & Results: This is arguably the most important section of the report as it includes a table that details the testing performed and the results of testing control by control
- Complimentary Entity User Controls (CUECs): In designing their controls, the service organization assumes that the users of the report (i.e., the customers) will include certain controls in order to meet the control objectives
- Complimentary Subservice Organization Controls (CSOCs): In designing their controls, the service organization is relying on a subservice organization in order to meet the control objective
Understanding CUECs and CSOCs
If the language of CSOC & CUEC is confusing, you are not alone. Organizations are continuing to refine this over time. At a high level, the purpose of including this information within a SOC report is to clearly identify and delineate between the responsibilities of the service provider, customer, and any other organizations that may be supporting compliance requirements. Below is a graphic that is helpful in understanding the relationship between the Customer, Service Organization, and the Subservice Organization.
Relationship between the Customer, Service Organization, and the Subservice Organization
Share this on LinkedIn, Facebook, or Twitter.
To expand on that, here is a practical example. Please note that this hypothetical example and does not reflect reality.
What should I look for in a SOC Report?
To help decode SOC reports, the table below contains few of the critical areas to review as well as questions to consider for both service providers and their customers.
SOC Reports: Critical Review Areas for Customers and Service Providers
Customers | Service Providers | |
---|---|---|
Section 4 – Auditor’s Testing and Results | Customers should review the results of testing and assess whether control failures require additional considerations by asking the following questions:
|
Service Providers should ensure that they have provided a sufficient response to control failures.
|
Complimentary Entity User Controls (CUEC) | Customers are required to ensure that these controls are in place and operating effectively and they should ask the following questions:
|
Service providers should ensure that they’ve included all relevant CUECs and should ask the following questions:
|
Complimentary Subservice Organization Controls (CSOC) | It is important for customers to assess whether the subservice organization’s controls are effective.
|
Service providers should consider all areas in which they may be relying on a subservice organization to meet control objectives.
|
SOC Reports Build Trust and Reduce Risk
In this blog series we have covered the basics of SOC reporting. We’ve covered what they are, the kinds and types of reports that are available, as well as key information included within the report.
To summarize the important of SOC reports: in order to ensure ongoing protection against potential security breaches, it is important for companies and service providers to communicate regarding compliance requirements and to ensure that responsibilities have been divided accordingly. For users, it is important to understand how vendors are supporting your compliance requirements. For service providers, it’s important to understand stakeholder compliance requirements and to design the services in such a way to meet those requirements.
Don’t miss our SOC Reporting blog series!
Check out our first SOC reporting blog on responsibilities and benefits of SOC reports and the second in the series exploring the kinds and types of SOC reports. Follow us on LinkedIn, Facebook, and Twitter for updates.
Learn More: The Impact Makers Solution
Impact Makers’ Risk Management consultants have knowledge of SOC reports and insights to help both service providers and their customers.
For service providers, we help answer the following questions:
- Have I provided the user of the report with all relevant information?
- Is there additional information I ought to include within the SOC report?
For customers, we help answer:
- What should I do with the results of the SOC report?
- Do control failures impact our compliance requirements?
We work with our customers to deliver and enable strategic business advantage with Information Security & Risk Management services.
To learn more, contact us.