January 6, 2022

Reviewing SOC Reports – A Detailed Look at What is Required

By John Patrick

More companies are moving to cloud-based SaaS solutions to support their business operations.  It’s typically cheaper, less complex, and safer from an operational and security standpoint.  However, if your company utilizes third party software providers, it is in your best interest (and you may be required) to perform procedures to review their SOC reports on a regular basis.

A System and Organization Controls (SOC) report is an independent evaluation of a service provider’s controls, performed by a Certified Public Accountant. These essential reports provide valuable information about the infrastructure, controls, risks, and effectiveness of controls at your service provider.

There are 3 types of SOC reports currently available:

  • SOC 1 – A report on controls relevant to a client’s internal controls over financial reporting (ICFR). This report is required for outsources systems covered by Sarbanes-Oxley (SOX).
  • SOC 2 – A report on controls related to operations or compliance
  • SOC 3 – A general use report on controls related to operations or compliance, without testing details

This article focuses on topics and procedures specific to SOC 1 reports, when evaluating them as part of your company’s compliance program (e.g. SOX, PCI, GDPR, ISO 27001, regulatory requirements, etc.).

Which Report Should I Request from My Service Provider?

There are two types of SOC reports – Type 1 and Type 2. For the purposes of SOX compliance, it’s wise to obtain a SOC 1 Type 2 report.  A SOC 1 report provides an evaluation of the service provider’s internal controls over financial reporting (ICFR).

A Type 1 report provides coverage over management’s assessment and the overall design of controls at a specific point in time, so it specifies if the right controls are in place and if the control processes are properly designed to achieve their purpose.

A Type 2 report provides the same coverage as Type 1, however it goes a step further and covers the operating effectiveness of controls over a period of time.  The auditors select samples and review evidence to make sure that controls were working as designed during the audit period.  A Type 2 report is typically required for SOX compliance, because it provides testing coverage during the year instead of during one point in time.

What  Does a SOC 1 Report Entail?

Navigating through a SOC 1 report can be time consuming and somewhat confusing.  The key is to understand the 5 report sections:

  1. Independent Service Auditor’s Report (Opinion Letter). This section is authored by the auditor and provides details about the audit performed, scope, and final results.
  2. Service Organization’s Assertion: This section is authored by the service provider and is similar to the opinion letter from the auditor. However, it’s from the perspective of the service provider and confirms whether their controls are designed and operating effectively to their knowledge.
  3. Description of Service Organization’s System: Written by the service provider and outlines detailed information about the company’s environment, systems, organization, and controls.
    • Control Objectives and Control Activities: Sometimes this section will list the control objectives and underlying controls.
    • Complementary User Entity Controls (CUEC’s): Contains a section listing controls that should be in place at the user organization, as a user of the service.
  4. Description of Service Auditor’s Tests of Controls and Results: Section 4 is the meat of the report and provides all of the control testing performed, along with the test results outlining any exceptions or control failures found.
  5. Additional Information Provided by the Service Organization: This section sometimes contains information from management regarding issues identified during the audit.  Or it sometimes provides additional information on other policies and processes at the company, such as Business Continuity and Disaster Recovery.

What Are Bridge Letters?

Keep in mind the length of each report issued – for example, SOC 1 reports do not always cover a full year.  As a result, the service provider will typically issue a bridge letter (aka “gap letter,” “comfort letter,” or “negative assurance letter”).  A bridge letter essentially extends the period of the SOC report, to provide clients and auditors with reasonable assurance that controls were effective for a full fiscal year period (one year, for example).

The bridge letter will provide a statement from the service organization about whether they are aware of any changes since the last issued report.  It’s important to evaluate a bridge letter to make sure it covers the correct SOC report, scope, and time-period.

What Are Complementary User Entity Controls (CUECs)?

A SOC 1 report will typically include a sub-section within Section 3 which describes Complementary User Entity Controls (CUECs).  They are also sometimes to referred to as “User Control Considerations” or “Client Considerations.”  The list of CUECs indicates the controls that should be in place within your company, as the client (or user) of their service.  To put it simply, these are controls the service organization is assuming users of its services have in place. These controls, when applicable, must be in place at the user organization in order for controls at the service organization to be effective.  The CUECs may not always apply to your organization and should be evaluated.

When performing your evaluation of CUECs, you will first want to identify the controls that apply to you.  Next, you should identify whether you currently have processes in place to address those controls (such as policies, procedures, formal controls, etc.).  Finally, evaluate whether your CUECs are effective and working properly.  If you are not currently performing a CUEC that is required by your service provider, it should be a top priority for your organization to implement it.

What Are the Main Items to Review in a SOC 1 Report?

There are a number of areas to review in a SOC 1 report.  Refer to our SOC 1 Report Checklist one-pager for a detailed outline of items to review.

What is a Qualified Report and How Do I Move Forward If My Service Provider’s Report is Qualified?

A qualified opinion indicates there are significant control failures in the SOC audit, and some control objectives may have failed overall.  If your service provider’s SOC report is qualified, there are key steps you should take:

  • Check if the failed control objective applies to your organization
  • Review whether the control failures apply to your organization
  • Identify whether there are mitigating controls in place within your company or within the service provider
  • Review any additional information provided in the SOC report, to determine whether additional details are provided on scope or impact of findings
  • Obtain and review any subsequent SOC reports that may indicate issues were corrected

You may need to work with your internal audit and/or external auditor to help facilitate and document the evaluation.

How Bridgepoint Can Help

Bridgepoint Consulting has a dedicated team of SOX compliance experts who are seasoned in all aspects of the regulatory environment and financial reporting. Our team’s objectivity and assessment quality greatly improves overall financial reporting for your organization, as well as teach your team the proper processes in the SOC reporting world moving forward. To simplify your financial journey and optimize established processes, reach out to Bridgepoint Consulting today. 

Related Insights
Best Practices for Reducing Third-Party Risk Through Vendor SOC Reports
Read More
5 Tips to Meet IT SOX Compliance Requirements
Read More
Successfully Navigate Your Company to SOX Compliance
Read More

About John Patrick

John Patrick is an IT Risk & Compliance Engagement Manager at Bridgepoint Consulting. John has deep experience across a multitude of skill sets, including cybersecurity and data protection policies, procedures and best practices, SOX, SOC 1 and SOC 2, IT audit, security, risk, and compliance. A high-performing leader, John has served in dynamic roles that have seen him manage areas of client relationships, sales, business development and technology support. His industry experience spans IT operations and outsourcing, biotech, public sector, banking, food and beverage, communications, oil and gas, real estate, technology and industrial products, among others.  He earned his Information Systems and Accounting degree from the University of Texas at Austin.

JPatrick@bridgepointconsulting.com Recent Blog Posts LinkedIn