Organizations throughout California and across the country increasingly rely on third parties (e.g., vendors, service providers, etc.) to provide critical systems and perform essential business functions. This rise in outsourced systems and services has resulted in a greater demand for third-party attestation reports that can provide transparency and assurance over the internal controls of the service providers.
System and Organization Controls (SOC) reports serve as a tool to assess the controls implemented by a service organization. However, reviewing a SOC report requires scrutiny of the reliability of the report, an understanding of the key elements of the report and a certain adequacy of the controls to meet your organizational needs.
When reviewing a SOC report, there are many key aspects to consider:
Understand the types of SOC reports
• SOC 1 – focuses on internal controls over financial reporting (ICFR)
• SOC 2 – evaluates controls related to security and may include controls related to availability, processing integrity, confidentiality and/or privacy of data
• Type 1 – controls are designed and implemented as of a specific point in time
• Type 2 – controls are designed, implemented, and have operated effectively over a defined period
Examine and understand the scope of the SOC report
• Review the report’s scope to ensure it aligns with what services/systems you have engaged the vendor to perform/provide and what coverage you need (i.e., ICFR versus security)
• Verify that the report covers the relevant areas that are critical to your operations (e.g., payroll processing, data center hosting)
• Review the reporting period being covered by the SOC report to ensure it is relevant and provides sufficient assurance for your current reporting needs
Consider elements of a SOC report
• When reviewing the system description, does it include the relevant information (e.g., SOC 2 reports must include information to address the description criteria (DC))?
o For a SOC 2 report, have the principal service commitments and system    requirements been disclosed?
o For a SOC 1 report, have key reports been disclosed?
• Does the auditor’s opinion and management’s assertion outline all applicable items required to be disclosed?
Review the auditor’s opinion and management’s assertion
• The auditor’s opinion and management’s assertion should disclose any material issues found with regards to the presentation of the description, the design of controls and the operating effectiveness of the controls.
• The auditor’s opinion and management’s assertion will also disclose information about subservice providers, which are other service providers involved in the services being provided to you.
Recognize differences between complementary user entity controls (CUECs) and user entity responsibilities
Many times, CUECs and user entity responsibilities may be used interchangeably. However, they are not the same.
• CUECs are controls that are implemented by the user entities themselves. These controls are necessary to achieve the intended control objectives and to address any residual risk that may remain after considering the service organization’s controls. CUECs are more commonly found within a SOC 1 report.
• User entity responsibilities refer to the obligations of the user entity in relation to the use of services provided by the service organization. User entities’ responsibilities are more commonly found within a SOC 2 report.
Assess the adequacy of control design and operating effectiveness
• Are the controls appropriately designed to address identified risks?
o For a SOC 1 report, are the controls appropriate to achieve the control objective?
o For a SOC 2 report, are the controls appropriate to achieve the Trust Services Criteria (TSC)?
Analyze test procedures and results
• Understanding the testing procedures performed by the service auditor will allow the reviewer to better understand how controls and the supporting evidence were examined to come to a testing result. Examine the testing results and assess whether they adequately test the control to achieve your desired level of comfort.
• Analyze the test procedures to identify any areas where parts of a control activity may not be tested, or testing performed does not align with control activities.
• Evaluate test procedures for appropriateness.
o Inspection test versus observation test versus sample test
Consider historical reports
• If available, review the service organization’s prior year SOC reports. This will lend greater visibility of any control environment changes or recurring issues that have not been addressed. This can allow the reviewer to gain insight into the organization’s commitment to improving its control environment.
Consider overall formatting and grammar
• General grammar, punctuation and formatting errors can lead to questions regarding the auditor’s attention to detail
• Formatting and overall presentation can demonstrate a service auditor’s inexperience with SOC reports, which could lead to questions about whether the service auditor understands SOC guidance and expectations.
Baker Tilly’s SOC report review template can help you
• We help organizations understand and evaluate the services, control processes and risks specific to each of their vendors, in a consistent manner.
• We assist with the identification of risks and guide risk mitigation and overall vendor relationship management activities.
• We facilitate reporting upward to management and board members on vendor risk management.
Bosco is a partner in Baker Tilly’s cybersecurity and risk advisory practice, with more than 15 years of SOC, SOX, and internal audit experience. Download Baker Tilly’s SOC report review template here and contact Bosco at [email protected].
Eric is a senior manager in Baker Tilly’s risk advisory practice with expertise in information technology general control audits, SOX compliance, internal audits, and internal control assessments and testing.