What is a SOC Report? Understand What’s Required & Common Questions
More companies are moving to cloud-based SaaS solutions to support their business operations. It’s typically cheaper, less complex, and safer from an operational and security standpoint.
However, if your company utilizes third party software providers, it is in your best interest (and you may even be required) to perform procedures to review their SOC reports on a regular basis.
What is a SOC report?
A SOC report (service/system organization controls) is an independent evaluation of a service provider’s controls, providing valuable information about the infrastructure, controls, risks, and effectiveness of controls at your service provider.
These evaluations are often performed by a certified public accountant and used to verify your business or organization is following best practices.
Types of SOC Reports:
- SOC 1 is a report on controls relevant to a client’s internal controls over financial reporting (ICFR). This report is required for outsources systems covered by Sarbanes-Oxley (SOX).
- SOC 2 is a report on controls related to operations or compliance.
- SOC 3 is a general use report on controls related to operations or compliance, without testing details.
- SOC for Cybersecurity is a report on an organization’s cybersecurity risk management program.
This article focuses on topics and procedures specific to SOC 1 reports, when evaluating them as part of your company’s compliance program (e.g. SOX, PCI, GDPR, ISO 27001, regulatory requirements, etc.).
Common Questions About SOC Reports & Reviews:
1. Which Report Should I Request from My Service Provider?
For the purposes of SOX compliance, it’s wise to obtain a SOC 1 Type 2 report.
A SOC 1 report provides an evaluation of the service provider’s internal controls over financial reporting (ICFR).
A Type 1 report provides coverage over management’s assessment and the overall design of controls at a specific point in time, so it specifies if the right controls are in place and if the control processes are properly designed to achieve their purpose.
A Type 2 report provides the same coverage as Type 1. However, it goes a step further and covers the operating effectiveness of controls over a period of time.
The auditors select samples and review evidence to make sure that controls were working as designed during the audit period.
A Type 2 report is typically required for SOX compliance, because it provides testing coverage during the year instead of during one point in time.
2. What Does a SOC 1 Report Entail?
Navigating through a SOC 1 report can be time consuming and somewhat confusing.
Understanding the 5 SOC Report Sections:
- Independent Service Auditor’s Report (Opinion Letter): This section is authored by the auditor and provides details about the audit performed, scope and final results.
- Service Organization’s Assertion: This section is authored by the service provider and is similar to the opinion letter from the auditor. However, it’s from the perspective of the service provider and confirms whether their controls are designed and operating effectively to their knowledge.
- Description of Service Organization’s System: Written by the service provider and outlines detailed information about the company’s environment, systems, organization and controls.
- Control Objectives and Control Activities: Sometimes this section will list the control objectives and underlying controls.
- Complementary User Entity Controls (CUEC’s): Contains a section listing controls that should be in place at the user organization, as a user of the service.
- Description of Service Auditor’s Tests of Controls and Results: Section 4 is the meat of the report and provides all of the control testing performed along with the test results outlining any exceptions or control failures found.
- Additional Information Provided by the Service Organization: This section sometimes contains information from management regarding issues identified during the audit. Or it sometimes provides additional information on other policies and processes at the company, such as Business Continuity and Disaster Recovery.
3. What Are Bridge Letters as they relate to SOC reports?
Keep in mind the length of each report issued – for example, SOC 1 reports do not always cover a full year. As a result, the service provider will typically issue a bridge letter (aka “gap letter,” “comfort letter” or “negative assurance letter”).
A bridge letter essentially extends the period of the SOC report to provide clients and auditors with reasonable assurance that controls were effective for a full fiscal year period (one year, for example).
The bridge letter will provide a statement from the service organization about whether they are aware of any changes since the last issued report.
It’s important to evaluate a bridge letter to make sure it covers the correct SOC report, scope and time-period.
4. What Are Complementary User Entity Controls (CUECs) in SOC Reports?
A SOC 1 report will typically include a sub-section within Section 3 which describes Complementary User Entity Controls (CUECs). They are also sometimes to referred to as “User Control Considerations” or “Client Considerations.”
The list of CUECs indicates the controls that should be in place within your company, as the client (or user) of their service.
To put it simply, these are controls the service organization is assuming users of its services have in place.
These controls, when applicable, must be in place at the user organization in order for controls at the service organization to be effective. The CUECs may not always apply to your organization and should be evaluated.
When performing your evaluation of CUECs, you will first want to identify the controls that apply to you.
Next, you should identify whether you currently have processes in place to address those controls (such as policies, procedures, formal controls, etc.).
Finally, evaluate whether your CUECs are effective and working properly. If you are not currently performing a CUEC that is required by your service provider, it should be a top priority for your organization to implement it.
5. What Are the Main Items to Review in a SOC 1 Report?
There are a number of areas to review in a SOC 1 report. Refer to our SOC 1 Report Checklist one-pager for a detailed outline of items to review.
6. What is a Qualified Report and How Do I Move Forward If My Service Provider’s Report is Qualified?
A qualified opinion indicates there are significant control failures in the SOC audit, and some control objectives may have failed overall.
Key Steps to Take if Your Service Provider’s SOC Report is Qualified
- Check if the failed control objective applies to your organization
- Review whether the control failures apply to your organization
- Identify whether there are mitigating controls in place within your company or within the service provider
- Review any additional information provided in the SOC report, to determine whether additional details are provided on scope or impact of findings
- Obtain and review any subsequent SOC reports that may indicate issues were corrected
You may need to work with your internal audit and/or external auditor to help facilitate and document the evaluation.
Need SOC Report Support?
Bridgepoint Consulting has a dedicated team of SOX compliance experts who are seasoned in all aspects of the regulatory environment and financial reporting.
Our team’s objectivity and assessment quality greatly improve overall financial reporting for your organization, as well as teach your team the proper processes in the SOC reporting world moving forward.
By John Patrick
John has deep experience across a multitude of skill sets, including cybersecurity and data protection policies, procedures and best practices, IT audit, security, risk, and compliance.