Leveraging SOC Reports

Decoding SOC Reporting Blog, People Summiting a Mountain
Share

Part 3 of 3: How to Review SOC Reports for More Business Value

By Zachary Ugol, Risk Management Consultant

We have been discussing System and Organization Controls (SOC) reports and how they can be a used to establish and maintain trust between service providers and their customers.  In our first blog, we covered a basic understanding of the benefits of SOC reporting. In our second blog, we covered the various kinds and types of SOC reports as well as how they are used to support compliance requirements. In this blog, we will tackle one of the most important questions: What information is most important when reviewing a SOC report?

What information is significant in a SOC report (SOC 1, SOC 2, SOC 3, etc.)?

A common challenge with SOC reports is a lack of understanding around how to write (for service providers) and to interpret (for customers) these reports. As these reports have been developed and are governed by the AICPA, the individuals with the most experience around SOC reports are the CPAs who produce them, rather than the service providers and customers who use them.

Larger organizations have utilized these reports since their inception, however as the risks around data security and privacy increase, there is an increasing pressure among small to mid-size organizations to provide these reports.

Let’s start by highlighting and defining a few key terms:

  • Section 4 – Auditor’s Testing & Results: This is arguably the most important section of the report as it includes a table that details the testing performed and the results of testing control by control
  • Complimentary Entity User Controls (CUECs): In designing their controls, the service organization assumes that the users of the report (i.e., the customers) will include certain controls in order to meet the control objectives
  • Complimentary Subservice Organization Controls (CSOCs): In designing their controls, the service organization is relying on a subservice organization in order to meet the control objective

Understanding CUECs and CSOCs

If the language of CSOC & CUEC is confusing, you are not alone. Organizations are continuing to refine this over time. At a high level, the purpose of including this information within a SOC report is to clearly identify and delineate between the responsibilities of the service provider, customer, and any other organizations that may be supporting compliance requirements. Below is a graphic that is helpful in understanding the relationship between the Customer, Service Organization, and the Subservice Organization.

Relationship between the Customer, Service Organization, and the Subservice Organization

Relationship between the Customer, Service Organization, and the Subservice Organization

Share this on LinkedIn, Facebook, or Twitter.  

To expand on that, here is a practical example. Please note that this hypothetical example and does not reflect reality.

Example Relationship between the Customer, Service Organization, and the Subservice Organization

What should I look for in a SOC Report?

To help decode SOC reports, the table below contains few of the critical areas to review as well as questions to consider for both service providers and their customers.

SOC Reports: Critical Review Areas for Customers and Service Providers

Customers Service Providers
Section 4 – Auditor’s Testing and Results Customers should review the results of testing and assess whether control failures require additional considerations by asking the following questions:

  • What is management’s response to the control failure?
  • Are there compensating controls at the service organization?
  • Are there compensating controls within my organization?
Service Providers should ensure that they have provided a sufficient response to control failures.

  • Have I provided a response to control failures?
  • What questions might a customer ask when reviewing the report?
Complimentary Entity User Controls (CUEC) Customers are required to ensure that these controls are in place and operating effectively and they should ask the following questions:

  • Do I have this control in place? Have I mapped this CUEC to one of my existing controls?
  • Have I tested this control for operating effectiveness?
Service providers should ensure that they’ve included all relevant CUECs and should ask the following questions:

  • Is there anything that the customer must do in order to meet the control objective?
  • Is there anything for which the customer is responsible?
Complimentary Subservice Organization Controls (CSOC) It is important for customers to assess whether the subservice organization’s controls are effective.

  • How critical is the subservice organization in the services being provided?
  • Do I need to request the SOC report from the subservice organization?
Service providers should consider all areas in which they may be relying on a subservice organization to meet control objectives.

  • Is there any reliance placed on a Software as a Service (SaaS) or similar?
  • Do I receive a SOC report from any service organization that are relevant to the services provided to customers? Have I reviewed the SOC report?

SOC Reports Build Trust and Reduce Risk

In this blog series we have covered the basics of SOC reporting. We’ve covered what they are, the kinds and types of reports that are available, as well as key information included within the report.

To summarize the important of SOC reports: in order to ensure ongoing protection against potential security breaches, it is important for companies and service providers to communicate regarding compliance requirements and to ensure that responsibilities have been divided accordingly. For users, it is important to understand how vendors are supporting your compliance requirements. For service providers, it’s important to understand stakeholder compliance requirements and to design the services in such a way to meet those requirements.

Don’t miss our SOC Reporting blog series!

Check out our first SOC reporting blog on responsibilities and benefits of SOC reports and the second in the series exploring the kinds and types of SOC reports. Follow us on LinkedIn, Facebook, and Twitter for updates.

Learn More: The Impact Makers Solution

Impact Makers’ Risk Management consultants have knowledge of SOC reports and insights to help both service providers and their customers.

For service providers, we help answer the following questions:

  • Have I provided the user of the report with all relevant information?
  • Is there additional information I ought to include within the SOC report?

For customers, we help answer:

  • What should I do with the results of the SOC report?
  • Do control failures impact our compliance requirements?

We work with our customers to deliver and enable strategic business advantage with Information Security & Risk Management services.

To learn more, contact us.

Related Posts