Article
Common challenges and key considerations when using or reviewing a SOC report
Sep 06, 2023 · Authored by Bosco Yuen, Eric Cortese
Organizations increasingly rely on third parties (e.g., vendors, service providers) to provide critical systems and perform essential business functions. This rise in outsourced systems and services has resulted in a greater demand for third-party attestation reports that can provide transparency and assurance over the internal controls of the service providers. System and Organization Controls (SOC) reports serve as a tool to assess the controls implemented by a service organization. However, reviewing a SOC report requires scrutiny of the reliability of the report, an understanding of the key elements of the report and the adequacy of the controls to meet your organizational needs.
When reviewing a SOC report, there are many key aspects to consider and understand:
- SOC 1 – focuses on internal controls over financial reporting (ICFR)
- SOC 2 – evaluates controls related to security and may include controls related to availability, processing integrity, confidentiality and/or privacy of data
- Type 1 – controls are designed and in place as of a specific point in time (e.g., as of Sept. 30, 2023)
- Type 2 – controls are designed, in place and have operated effectively over a defined period (e.g., Oct. 1, 2022 – Sept. 30, 2023)
- Review the report’s scope to ensure it aligns with what services/systems you have engaged the vendor to perform/provide and what coverage you need (i.e., – ICFR versus security)
- Verify that the report covers the relevant areas that are critical to your operations (e.g., payroll processing, data center hosting)
- Review the reporting period being covered by the SOC report to ensure it is relevant and provides sufficient assurance for your current reporting needs
- When reviewing the system description, does it include the relevant information (e.g., SOC 2 reports must include information to address the description criteria (DC))?
- For a SOC 2 report, have the principal service commitments and system requirements been disclosed?
- For a SOC 1 report, have key reports been disclosed? - Does the auditor's opinion and management's assertion outline all applicable items required to be disclosed?
- The auditor’s opinion and management’s assertion should disclose any material issues found with regards to the presentation of the description, the design of controls and the operating effectiveness of the controls.
- The auditor’s opinion and management’s assertion will also disclose information about subservice providers, which are other service providers involved in the services being provided to you.
Many times, CUECs and user entity responsibilities may be used interchangeably, however, they are not the same.
- CUECs are controls that are implemented by the user entities themselves. These controls are necessary to achieve the intended control objectives and to address any residual risk that may remain after considering the service organization’s controls. CUECs are more commonly found within a SOC 1 report.
- User entity responsibilities refer to the obligations and responsibilities of the user entity in relation to the use of services provided by the service organization. User entities' responsibilities are more commonly found within a SOC 2 report.
- Are the controls appropriately designed to address identified risks?
- For a SOC 1 report, are the controls appropriate to achieve the control objective?
- For a SOC 2 report, are the controls appropriate to achieve the Trust Services Criteria (TSC)?
- Understanding the testing procedures performed by the service auditor will allow the reviewer to better understand how controls and the supporting evidence were examined to come to a testing result. Examine the testing results and assess whether they adequately test the control to achieve your desired level of comfort.
- Analyzing the test procedures will identify any areas where parts of a control activity may not be tested, or testing performed does not align with control activities.
- Evaluate test procedures for appropriateness
- Inspection test versus observation test versus sample test
- If available, review the service organizations prior year SOC reports. This will lend greater visibility of any control environment changes or recurring issues that have not been addressed. This can allow the reviewer to gain insight into the organization's commitment to improving its control environment.
- General grammar, punctuation and formatting errors can lead to questions regarding the auditors' attention to detail
- Formatting and overall presentation can demonstrate a service auditor's inexperience with SOC reports, which could lead to questions about whether the service auditor understands SOC guidance and expectations.
Baker Tilly's SOC report review template will help your organization:
- Understand and evaluate the services, control processes and risks specific to each vendor, in a consistent manner.
- Identify and guide risk mitigation and overall vendor relationship management activities.
- Report upward to management and board members on vendor risk management.
Have a question for one of our SOC specialists?
© 2024 Baker Tilly US, LLP