In previous articles, we\u2019ve guided you through the complex world of system and organization controls (SOC) reports<\/a>, helping you select the right one for your organization\u2019s needs and familiarize yourself with the format<\/a>.<\/p>\n Now, in the final installment of our series, we delve deeper into what else you should take into consideration when reviewing a SOC report from your vendor.<\/p>\n In each SOC report, you will find the vendor\u2019s management assertion, the independent service auditor\u2019s report, the vendor\u2019s description of its system, and a listing of controls tested. Below are some key points to focus on during your review.<\/p>\n When considering who issued the report, there are two principal factors to consider.<\/p>\n First, it is important to verify the credentials of the provider to ensure your SOC report provides valuable insights.<\/strong> According to the American Institute of Certified Professional Accountants (AICPA), only CPA firms have the authority to issue SOC reports. Licensed CPA firms must undergo peer reviews at least once every three years to ensure their accounting and auditing practices meet AICPA standards. To verify a CPA firm\u2019s status, you can visit the AICPA\u2019s public file website<\/a>.<\/p>\n While it is important to ensure the SOC report was issued by a licensed CPA firm, there is a second, yet equally important, point to consider: Does the firm or individual issuing the report have information technology or information security certifications? It is important to understand that SOC reports are information security-related audits, which are vastly different from the financial audits CPA firms typically perform.<\/p>\n Since SOC reports extensively investigate information security, it\u2019s imperative that the professional responsible has a solid foundation in the field. Look for certifications such as:<\/strong><\/p>\n These certifications are rigorous and demonstrate expert knowledge of cybersecurity and information security.<\/p>\n Within the SOC report, you will find an independent service auditor\u2019s report. In this section, the auditor documents the overall opinion regarding the vendor\u2019s system, including whether the vendor presented the system description fairly and whether its controls are suitably designed and functioning as expected.\u00a0<\/strong><\/p>\n The auditor\u2019s opinion is the main reason for a SOC report, so it is important to understand the meanings of the different opinions. There are four ways an auditor can present their opinion on a SOC report:<\/p>\n The most critical point to keep in mind is that you want an unqualified opinion. If the result is any other type of opinion, you should also find a separate paragraph to describe the reasons for the opinion and evaluate the impact of the qualifications.<\/p>\n Within the SOC report, the vendor will provide a description of the system, which should cover all the following: background information and a description of the software, people, procedures, and data.<\/p>\n Due to familiarity with your vendor\u2019s systems and infrastructure, review this description closely to determine what they may have chosen to exclude from the audit.<\/strong> From there, you can determine if it is important to the security of your system and\/or data.<\/p>\n Each type of SOC report will include the relevant exceptions noted during testing. This is the most essential element of reviewing a SOC report. You must decide which of your vendor\u2019s controls are critical to your organization and evaluate if there are any exceptions noted in those critical areas.<\/p>\n If you find exceptions and determine they are critical to the security of your organization\u2019s data, you must determine the impact these will have on your organization\u2019s security.<\/p>\n After reviewing a SOC report, your next steps should focus on action and strategy. First, communicate any concerns you have with your service provider. Simultaneously, based on the findings of the SOC report, identify areas where additional security investments<\/a> may be necessary.<\/strong> This may involve allocating resources to enhance specific security controls or exploring other vendors who have stronger security practices.<\/p>\n A SOC report is an invaluable tool that you should use to assess and continuously enhance your organization\u2019s cybersecurity strategy<\/a>. This proactive approach not only safeguards your sensitive information but also builds trust with stakeholders.<\/p>\n \n Who issued the report?<\/h2>\n
\n
What is the auditor\u2019s opinion?<\/h2>\n
\n
What did the audit include?<\/h2>\n
Were any relevant exceptions noted?<\/h2>\n
Next Steps<\/h2>\n