vendor management and risk management<\/a> functions and should be taken very seriously. You are only as strong as your weakest link, which could indeed be your vendors.<\/p>\nHow to Review a SOC Report<\/h2>\n
When obtaining the report, make sure it is the correct one. There are vendors that issue anywhere from one to sometimes more than 30 reports for different areas of the business. To increase the efficiency and effectiveness of your review, ensure you have the correct report. If you are reviewing card issuance procedures, the item processing report will not suffice.<\/p>\n
Time Period of Report<\/h3>\n
You should review the time period of the report to ensure it covers the needs of the user. Reporting periods vary and often don\u2019t cover full calendar years (i.e. reporting period of October 1, 2022 \u2013 September 30, 2023). Make sure the time period meets your needs. If there is a gap between the report and the time period you require for your review, you can obtain what is called a bridge letter or comfort letter stating what has occurred since the issuance of the report.<\/p>\n
It is a best practice to ensure the report you obtain covers a time period of at least six months, with nine to twelve months being ideal. Ensure that hidden accounts have not been created, as these could be used for illicit activities.<\/p>\n
Another high-risk user group is third-party vendors. Vendors come and go from a business environment and often need access to the systems to do the job they were hired for. There is a higher risk for this type of user to not be terminated at the end of the contractual relationship. Often vendors are given remote access, so even if they are not onsite they could access the network.<\/p>\n
Report Coverage<\/h3>\n
The controls tested in the report should cover the services you rely on the service provider for. The level of specificity varies based on scope, auditor and service provider control structure. You should review the report in detail to ensure your areas of concern and reliance are covered. If they are not, alternative procedures may be necessary.<\/p>\n
The service auditor\u2019s opinion on the operating effectiveness of the controls:<\/h4>\n
The auditor will opine in the report on the operating effectiveness of the controls as being Effective<\/em> or Ineffective<\/em>. If you receive an Ineffective<\/em> opinion, you should seriously investigate why. Ineffective controls at a key service provider could have serious consequences on your own control environment.<\/p>\nManagement\u2019s opinion on the operating effectiveness of the controls:<\/h4>\n
Like the service auditor, management also opines on the operating effectiveness of controls. Take the same considerations as those taken with the auditor\u2019s opinion. If the two opinions differ, conduct an investigation into the reason.<\/p>\n
Inclusion of control environment in reports:<\/h4>\n
A description of the service organization\u2019s control environment is one aspect of reports that may not have been included in the past. This description can provide valuable insights and you should review it if present.<\/p>\n
Control Exceptions<\/h3>\n
Each report contains a section listing out the controls tested and the results of that testing. You should investigate any exceptions noted for possible impacts on your process. This especially holds true for the controls your organization relies upon.<\/p>\n
Vendors who have mature risk management and internal control functions have a minimal amount of exceptions in these reports. Your level of caution should peak if you see a high number while you are reviewing a SOC report.<\/p>\n
User Control Considerations<\/h3>\n
Most reports contain a section that lists controls that should be in place at the user (your) organization. These sections are typically called User Control Considerations, Complementary User Entity Controls or Description of Client Considerations.<\/p>\n
These are controls the service organization is assuming you have in place. They may not all be applicable to your business, but this section provides some great insight and may point out gaps in your control structure. Review and address each user control consideration as applicable.<\/p>\n
Subservice Providers<\/h3>\n
Your service providers may be outsourcing part of the service they provide you. This could include hosting, helpdesk and other essential functions. The SOC report should list what activities are outsourced.<\/p>\n
The term used in the report is most typically \u201csubservice provider.\u201d You should determine if you rely on that subservice and if you need to obtain a report from the subservice provider or perform any other sort of investigative activities. Remember, you are only as strong as your weakest link.<\/p>\n
Controls & Reports Relied Upon<\/h3>\n
Remember, it is a good idea to keep a running listing of reports and controls you rely upon at your service organization. This will increase the efficiency and effectiveness of how you review your SOC reports. It will also help manage your risk. Performing your reviews with the proper amount of rigor will ensure you are practicing proper risk management.<\/p>\n
Create an internal checklist for reviewing the SOC reports. This best practice helps you ensure that you’ve covered all the essential areas. We hear stories every week regarding weaknesses at vendors and resulting control breakdowns and in some cases data breaches.<\/p>\n\n
\n
\n Wonder what a cyber attacker sees when they target your organization? Wonder no more. Watch a live network attack demo simulated by an industry-leading offensive security expert. In our on-demand webinar, you\u2019ll learn how to uncover vulnerabilities that the average pen test misses. \n <\/div>\n