Although I have written about these relatively new reports frequently, and for some time now, it still remains a topic of great interest to financial institutions. Fully 20% of all searches on this site over the past 6 months include the terms “SOC” or “SOC 2”, or “SAS 70”. Some of this increased interest comes from new FFIEC guidance on how financial institutions should manage their service provider relationships, and some of it comes from financial institutions that are just now seeing these new reports from their vendors for the first time. And because the SOC 2 is designed to focus on organizations that collect, process, transmit, store, organize, maintain or dispose of information on behalf of others, you are likely to see many more of them going forward.
Having just completed our own SOC 2 (transitioning from the SAS 70 in the previous period), I can say unequivocally that not only is it much more detailed, but that it has the potential to directly addresses the risks and controls that should concern you as the recipient of IT related services. But not all SOC 2 reports are alike, and you must review the report that your vendor gives you to determine its relevance to you. Here are the 5 things you must look for in every report:
-
Products and Services – Does the report address the products and services you’ve contracted for?
-
Criteria – Which of the 5 Trust Services Criteria (privacy, security, confidentiality, availability and data integrity) are included in the report?
-
Sub-service Providers – Does the report cover the subcontractors (sub-service providers) of the vendor?
-
Type I or Type II – Does the report address the effectiveness of the controls (Type II), or only the suitability of controls (Type I)?
-
Exceptions – Is the report “clean”? Does it contain any material exceptions?
Before we get into the details of each item, it is important to understand how a SOC 2 report is structured. There are 3 distinct sections to a SOC 2 (and they generally appear in this order);
- The Service Auditors Report,
- The Managements Assertion, and
- The Description of Systems.
So simply put, what happens in a SOC 2 report is that your service providers’ management prepares a detailed description of the systems and processes they use to deliver their products and services to you, and the controls they have in place to manage the risks. They then make an assertion that the description is accurate and complete. Finally, the auditor renders an opinion on whether or not the description is “fair” as to control suitability (Type I) and effectiveness (Type II).
Products and Services
The first thing to look for in a SOC 2 report is generally found in the Management’s Assertion section. It will state something to the effect that “…the system description is intended to provide users with information about the X, Y and Z services…” You should be able to identify all of your products and services among the “X”, “Y”, and “Z”. If you have a product or service with the vendor that is not specifically mentioned, you’ll need to satisfy yourself that the systems and processes in place for your products are the same as they are for the products covered in the report. (You should also encourage the vendor to include your products in their next report.)
Criteria
The next thing to look for is found in the Service Auditor’s Report section. Look for the term “Trust Services Principles and Criteria”, and make a note of which of the 5 criteria are listed. The 5 possible covered criteria are: Privacy, Security, Confidentiality, Integrity and Availability. Service provider management is allowed to select which criteria they want included in the report, and once again you should make sure your specific concerns are addressed.
Sub-service Providers
The next item is also found in the Service Auditor’s Report section, and usually in the first paragraph or two. Look for either “…our examination included controls of the sub-service providers”, or “…our examination did not extend to controls of sub-service providers”. The report may also use the terms “inclusive” to indicate that they DID look at sub-service providers, or “carve-out” to indicate that the auditor DID NOT look at the controls of any sub-service providers. These are the service providers to your service provider, and if they store or process your (or your customers) data you’ll need assurance that they are being held to the same standards as your first-level service provider. This assurance, if required and not provided in the SOC 2, may be found in a review of the sub-service provider’s third-party reviews.
Type I or Type II
As with the older SAS 70, the new SOC 1 and SOC 2 reports come in two versions; a Type I, which reports on the adequacy of controls as of a single point in time, and a Type II, which reports on both control adequacy and effectiveness by evaluating the controls over a period of time, typically 6 months. Clearly the Type II report is preferred, but because the SOC 2 audit guides were just released last year, most service providers may choose to initially release a Type I. If your concerns about the service provider include whether or not their risk management controls were both adequate AND effective (and in most cases they should), make sure they immediately follow up the Type I with a Type II.
Exceptions
Finally, scan the Service Auditor’s Report section for verbiage such as “except for the matter described in the preceding paragraph…”, or “the controls were not suitably designed…” or “…disclaim an opinion…”, or terms such as “omission” or “misrepresentation” or “inadequate”. These are an indication that the report could contain important material exceptions that would be cause for concern.
One more thing…pay particular attention to a sub-section (usually found in Description of Systems section) called “Complementary End-User (or User-Entity) Controls”. This is not new to the SOC reports, the SAS 70 had a similar section, but it is one of the most important parts of the entire report, and one that is often ignored. This is a list of what the vendor expects from you. Things without which some or all of the criteria would not be met. This is the vendor saying “we’ll do our part to keep your data private, secure, available, etc., but we expect you to do a few things too”. It’s important that you understand these items, because the entire auditor’s opinion depends on you doing your part, and failure to do so could invalidate some or all of the trust criteria. By the way, you should be able to find a corresponding list of these end-user controls repeated in your contracts.
The lesson here is that vendor third-party reviews like the SOC 2 are no longer a “check the box and be done” type of exercise. As part of your vendor management process, you must actually review the reports, understand them (don’t hesitate to enlist the help of your own auditor if necessary), and document that they adequately address your concerns.
