How to Read a SOC 2 Report

As a customer, you rely on your vendors and service providers to protect your data and ensure the continuity of their services. This is achieved through rigorous and comprehensive internal controls. Whether you’re evaluating a potential vendor or assessing your current one, the level of sophistication with which they approach managing your data is most likely a major factor in whether you choose to move forward with them. 

One way to assess a vendor’s control environment is by reviewing their System and Organization Controls (SOC) 2 report. However, if you lack technical expertise, these reports can be dense and challenging to interpret, leaving you unsure of how well a vendor aligns with your needs.

This article will guide you through the process of reading and interpreting a SOC report, empowering you to make informed decisions.

Preparing to Read the SOC Report

Before diving into the report, it’s essential to determine what you expect to see in the report itself. This starts with determining your own business’s requirements from the vendors it works with. 

First, ask yourself, what aspects of the vendor’s services are most critical to your business? Are you primarily concerned about data security, system availability, or regulatory compliance? 

By answering these questions, you will be able to determine which sections of the report are relevant to your needs, and can dedicate time to reading those sections carefully. For example, if data security is your top concern, you’ll want to pay close attention to the sections covering system components, security controls, and any reported incidents.

Next, ensure you’re reading the right type of SOC 2 report. 

A SOC 2 Type 1 report provides a description of the vendor’s control environment at a specific point in time. You might read this report if you are:

• Evaluating a new vendor undergoing their first SOC audit
• Seeking a high-level overview for an initial assessment

A SOC 2 Type 2 report requires the auditor to perform detailed testing of the operating effectiveness of those controls over a period of time, typically six to twelve months. These reports are considerably longer than Type 1 but go into more depth. As such, in most cases, you’ll probably want to read Type 2.  You should also pay close attention to ensure the period covered represents the most recent report.

By establishing your needs up front, you will make it easier to find relevant information in any SOC 2 report.

Guide to Reading a SOC 2 Report

A SOC 2 report can be 50-100 pages long. Before you dive in, there are a few details you’ll first want to understand. The first is the audit firm that was engaged to prepare the report. Robust SOC 2 reports are completed by CPA firms and tend to incorporate far more comprehensive analysis than reports completed by ‘SOC-in-a-box’ type solutions.

A SOC 2 report is divided into several sections, each providing valuable insights into the vendor’s control environment. Let’s explore these sections in detail:

The Opinion

The opinion is the auditor’s overall assessment of the vendor’s control environment. There are three types of opinions:

• Unqualified (Clean) Opinion: This is the most favorable outcome, indicating that the vendor’s controls were designed and operating effectively during the audit period.
• Qualified Opinion: A qualified opinion means that the auditor identified some exceptions or deficiencies in the vendor’s controls, but they were not pervasive enough to warrant a more severe opinion.
• Adverse Opinion: An adverse opinion is the worst-case scenario, indicating that the vendor’s controls were inadequate or ineffective.

Any opinion other than an unqualified opinion is referred to as a modified opinion. Any opinion other than an unqualified opinion should give you pause and prompt you to have a deeper conversation with the vendor.

Management Assertion Letter

The management assertion letter is a formal statement from the vendor’s management, acknowledging their responsibility for the design and operation of the control environment. 

This letter serves as a critical component of the audit process, as it ensures that management understands and accepts their obligations.

System Description

The System Description section provides an overview of the vendor’s services, system components, and control environment. 

This section of the report includes nine subsections. Depending on your needs, you might not need to read every single one, but instead focus on the subsections that align with your priorities.

DC 1: Types of Services Provided

This subsection outlines the services covered by the SOC report. 

As a customer, you should review this section to ensure that the services you rely on are included and adequately described.

DC 2: Principal Service Commitments and System Requirements

Here, the vendor outlines their service commitments and system requirements, such as availability targets, security standards, and regulatory compliance obligations. 

Evaluate whether these commitments and requirements align with your needs and expectations. For example, do they adhere to relevant industry regulations? Is their uptime target sufficient for your needs?

DC 3: Components of the System

This subsection describes the various components of the vendor’s system, including people, processes, data, infrastructure, and software. 

Assess whether these components are adequate and appropriate for the services you consume. For example, do they have a documented incident response process? How do they handle data backups and recovery?

DC 4: System Incidents

The System Incidents section details any incidents or disruptions that occurred during the audit period, along with the vendor’s response and remediation efforts. 

Review this section carefully to understand the nature and impact of any incidents, and whether they could affect your business.

DC 5: Applicable Trust Services Criteria

The Trust Services Criteria are the standards and principles used by the auditor to evaluate the vendor’s control environment. 

This subsection outlines the specific criteria applied during the audit, which can vary depending on the vendor’s industry and the nature of their services.

DC 6: Complementary User Entity Controls

Complementary User Entity Controls (CUECs) are controls that you, as the customer, are responsible for implementing to support the vendor’s control environment. 

Review this section to ensure that you have effectively implemented and maintained these controls.

DC 7: Subservice Organizations

If the vendor relies on subservice organizations (e.g., cloud providers, data centers) to deliver their services, this subsection will outline the roles and responsibilities of these third parties. 

For example, in this section, you might learn whether a subservice organization provides their own SOC report, its scope of service, and how the primary vendor monitors them.

DC 8: Not Relevant Criterion

This subsection lists any criteria or services that were deemed not relevant or out of scope for the audit. 

Review this section to ensure that no critical services or controls relevant to your business were excluded.

DC 9: Changes in the Period

Any significant changes to the vendor’s system or control environment during the audit period will be documented here. 

If significant changes did occur, review them to understand what changed and why. For example, if the vendor’s incident response process changed, was it due to updated regulatory compliance requirements, or due to a specific security incident?

Evaluate the impact each change might have on your business and whether it introduces any new risks or concerns.

Control Matrix

The Control Matrix is a detailed listing of the specific controls tested by the auditor, along with the results of their testing. 

In a SOC Type 2 report, this section will provide more comprehensive information on the testing procedures performed and the results over the audit period. 

For a SOC Type 1 report, the Control Matrix will be more limited in scope, as it only describes the controls in place at a specific point in time without testing their operating effectiveness.

Other Information 

This fifth section is an optional addition to the report containing the vendor’s management response to any exceptions or issues identified during the audit. 

For a SOC Type 2 report, this section may also include more detailed responses and remediation plans, as the auditor has evaluated the controls over an extended period. Note that this section of the report is unaudited: the auditor does not verify or test the statements made, but does review it to ensure that this section is not misleading to readers of the report. 

Smith + Howard: Your Trusted SOC 2 Experts

Reading and interpreting a SOC report can be a daunting task, but it is a crucial step to ensure your service providers maintain robust controls and safeguards. It also helps you make informed decisions about your business relationships.

However, if you lack the expertise or time to thoroughly review a SOC 2 report, Smith + Howard can help. Our team of experienced SOC auditors and advisors can provide a comprehensive evaluation of any SOC 2 report, highlighting any areas of concern and ensuring that your vendor relationships align with your business needs and risk tolerance.

At Smith + Howard, we understand the importance of vendor risk management and compliance. Contact us today to learn more about how we can help.