How to Read Your Vendor’s SOC 1 or SOC 2 Report

by Sarah Harvey / August 16th, 2018

Most organizations outsource some aspect of their business to vendors, whether it’s to perform a specific, integral task or replace an entire business unit. Vendors can be in roles like customer support, financial technology, record storage, software development, or claims processing. Using vendors can further an organization’s business objectives, enable them to function more effectively, and may be more cost-efficient. With all these opportunities, organizations must remain aware of the risks vendors carry with them.

As a result of the additional risks that vendors bring, more and more organizations are asking vendors to receive SOC 1 or SOC 2 attestations. But, when you do receive a SOC 1 or SOC 2 report from a carved-out vendor, do you know how to read it? Which areas do you focus on and what do the results mean? SOC 1 and SOC 2 reports are lengthy and complex, but incredibly important in understanding the risks posed to your organization. Let’s take a look at some key components of SOC 1 and SOC 2 reports that will help you analyze the security of your vendors.

Who Issued the SOC 1 or SOC 2 Report?

SOC 1 and SOC 2 reports follow a pattern. Each gives the vendor’s management’s assertion, the independent service auditor’s report, the vendor’s description of its system, and tests of controls. Before you begin reading, though, there’s one initial question to ask when reviewing a SOC 1 or SOC 2 report: who issued the report? As stipulated by the AICPA, SOC reports can only be issued by a CPA firm. We recommend looking to see that the firm who issued the report is a licensed CPA firm; no CPA firm license means that the firm doesn’t undergo a peer review, which is a review of its accounting and auditing practices once every three years after its initial peer review.

Although CPAs and CPA firms can issue a SOC report, you should also be asking if the individual or firm has information technology or information security certifications. Let’s not forget: SOC 1 and SOC 2 audits are information security audits. These aren’t your typical financial audits that you usually get from a CPA. We recommend encouraging your vendors to engage a CPA firm that specializes in information security for SOC 1 and SOC 2 audits. Certified Information Systems Security Professional (CISSP), Certified Information System Auditor (CISA), and Certified Risk and Information Systems Control (CRISC) are rigorous certifications showing expert knowledge of information security and cybersecurity. These types of certifications are crucial to receiving a quality audit and what you should be looking for from your vendor’s licensed CPA firm.

The Auditor’s Opinion in a SOC 1 or SOC 2 Report

A SOC 1 or SOC 2 report contains an independent service auditor’s report, which states the auditor’s opinion regarding the description of the vendor’s system, whether the system was presented fairly, and whether the vendor’s controls are suitably designed. When reviewing a vendor’s SOC 1 or SOC 2 report, you will want to pay attention to the controls that impact your security. The auditor’s opinion can be presented in four possible variations:

SOC Unqualified Opinion

Issued when the auditor fully supports the findings, with no modifications.

SOC Qualified Opinion

Issued when the auditor cannot express an unqualified opinion, but the issues are not so severe that they need to issue an adverse opinion.

SOC Adverse Opinion

Issued when the auditor believes that report users should not rely on the vendor’s systems.

SOC Disclaimer

Issued when the auditor cannot express an opinion because they were unable to obtain sufficient evidence on which to base their opinion.

An unqualified opinion from your vendor’s independent auditor is what you should be looking for, because any other opinion should cause your organization to evaluate the impact of the qualifications.

What Was Audited During the SOC 1 or SOC 2 Audit?

Your vendor will decide what will or will not be in-scope for the SOC 1 or SOC 2 audit, and this will be described in your vendor’s description of its system. This provides background information on the vendor to the report user and provides a description of the software, people, procedures, and data within the organization’s in-scope environment. Because you’re familiar with your vendor’s systems and infrastructure, you’ll be able to gauge anything they’ve chosen to exclude from the audit, which may or may not be important to the security of your system and data.

Analyze Exceptions and Non-Compliance in the SOC 1 or SOC 2 Report

For each control objective of a SOC 1 and Trust Services Criteria category for SOC 2, the report will outline whether any relevant exceptions were noted during testing. This is an incredibly important element of a SOC 1 or SOC 2 report. Which of your vendor’s controls are critical to the security of your data? You need to evaluate if they have any exceptions or non-compliant controls in those critical areas and determine how this will impact the security of your system and data.

Do you struggle with how to evaluate your vendors’ compliance efforts? Do you know how to read a SOC 1 or SOC 2 report? Contact us today to speak with an information security expert.

More SOC Resources

What’s the Difference Between SOC 1, SOC 2, and SOC 3?

What’s the Difference between SOC 1 Type I and SOC 1 Type II?

What’s the Difference Between SOC 2 Type I and SOC 2 Type II?