We provide a list of essential questions to consider when assessing a SOC report to enhance your evaluation process and fortify your cybersecurity strategy.
In previous articles, we’ve guided you through the complex world of system and organization controls (SOC) reports, helping you select the right one for your organization’s needs and familiarize yourself with the format.
Now, in the final installment of our series, we delve deeper into what else you should take into consideration when reviewing reports from your vendor.
In each SOC report, you will find the vendor’s management assertion, the independent service auditor’s report, the vendor’s description of its system, and a listing of controls tested. Below are some key points to focus on during your review.
Who issued the report?
When considering who issued the report, there are two principal factors to consider.
First, it is important to verify the credentials of the provider to ensure your SOC report provides valuable insights. According to the American Institute of Certified Professional Accountants (AICPA), only CPA firms have the authority to issue SOC reports. Licensed CPA firms must undergo peer reviews at least once every three years to ensure their accounting and auditing practices meet AICPA standards. To verify a CPA firm’s status, you can visit the AICPA’s public file website.
While it is important to ensure the SOC report was issued by a licensed CPA firm, there is a second, yet equally important, point to consider: Does the firm or individual issuing the report have information technology or information security certifications? It is important to understand that SOC reports are information security-related audits, which are vastly different from the financial audits CPA firms typically perform.
Since SOC reports extensively investigate information security, it’s imperative that the professional responsible has a solid foundation in the field. Look for certifications such as:
- Certified Information Systems Security Professional (CISSP).
- Certified Information System Auditor (CISA).
- Certified Risk and Information Systems Control (CRISC).
These certifications are rigorous and demonstrate expert knowledge of cybersecurity and information security.
What is the auditor’s opinion?
Within the SOC report, you will find an independent service auditor’s report. In this section, the auditor documents the overall opinion regarding the vendor’s system, including whether the vendor presented the system description fairly and whether its controls are suitably designed and functioning as expected.
The auditor’s opinion is the main reason for a SOC report, so it is important to understand the meanings of the different opinions. There are four ways an auditor can present their opinion on a SOC report:
- Unqualified: The auditor fully supports the findings, with no modifications.
- Qualified: The auditor cannot express an unqualified opinion.
- Adverse: The auditor believes that there are material and pervasive issues. Put simply, report readers should not rely on the vendor’s system.
- Disclaimer: The auditor is unable to express an opinion due to insufficient evidence and the possible effects could be both material and pervasive.
The most critical point to keep in mind is that you want an unqualified opinion. If the result is any other type of opinion, you should also find a separate paragraph to describe the reasons for the opinion and evaluate the impact of the qualifications.
What did the audit include?
Within the SOC report, the vendor will provide a description of the system, which should cover all the following: background information and a description of the software, people, procedures, and data.
Due to familiarity with your vendor’s systems and infrastructure, review this description closely to determine what they may have chosen to exclude from the audit. From there, you can determine if it is important to the security of your system and/or data.
Were any relevant exceptions noted?
Each type of SOC report will include the relevant exceptions noted during testing. This is the most essential element of a SOC report. You must decide which of your vendor’s controls are critical to your organization and evaluate if there are any exceptions noted in those critical areas.
If you find exceptions and determine they are critical to the security of your organization’s data, you must determine the impact these will have on your organization’s security.
Your next steps should focus on action and strategy. First, communicate any concerns you have with your service provider. Simultaneously, based on the findings of the SOC report, identify areas where additional security investments may be necessary. This may involve allocating resources to enhance specific security controls or exploring other vendors who have stronger security practices.
A SOC report is an invaluable tool that you should use to assess and continuously enhance your organization’s cybersecurity strategy. This proactive approach not only safeguards your sensitive information but also builds trust with stakeholders.