How to Properly Review a SOC Report
There continues to be a great deal of confusion over the new service organization reporting structure and which reports are the best to obtain. The basic intentions of the reports are as follows:
SOC 1 – Related to Internal Control over Financial Reporting
SOC 2 – Related to testing over the Trust Services Principles of Security, Availability, Processing Integrity, Confidentiality and Privacy
SOC 3 - A simplified report on the same principles in a SOC 2 and available for public use
In this article we won’t go into the details of what report you need to obtain. That information can be found in the post titled “Which SOC Report is Right for You?“ Here we’ll help answer the question of what you should be doing once you get the report in your hands. Properly reviewing these reports is an essential part of the vendor management and risk management functions, and should be taken very seriously. You are only as strong as your weakest link, which could indeed be your vendors.
Shane M. O’Donnell, CISA, CPA, MSA
Chief Audit Executive