Ideally, reviewing a SOC Report will take you 15 minutes or less (once you get the hang of it). If you are a financial institution and you have vendors, then you have plenty of SOC Reports to review every year.
This blog will tell you what to review in SOC Reports, and nothing more.
You Don't Have to Know It All
I could tell you all sorts of information about SSAE 18 and SOC Reports! Here's one: SSAE 18 is the rule book and SOC is the engagement and report name, so you don't get an SSAE 18 from your vendor, you get a SOC Report. But what you actually want/need is a quick way to get your job done, not a dissertation on the inner working of SOC audits.
Other people may try to make the SOC Report review process seem big and complex so that you will rely on them to do the reviews for you… Don't let them scare you. You are capable of reviewing a SOC Report just as well as any expert. Really! I believe in you.
Admittedly, SOC Reports are complex and they are full of important information, but finding the information you need from it is really quite simple.
You Just Need the Important Parts
Think about this: If your vendor has a SOC Report, then that means an outside party has reviewed the vendor on your behalf. The outside party has verified the vendor is operating effectively. Thanks to this outside party, you don't have to comb over every detail of a SOC report. This means you can primarily read the cliff-notes version in the "Auditor's Report" section and trust the outside party's judgment.
SOC reports are completely standardized. They share a basic structure and even include some of the exact same sentences. This means you can grab what you need from a few specific places, then be on your way.
Let's Get To It
Here is a quick list of the information you need to find in a vendor's SOC report and note in your review. Section names won't be exact, but they're pretty close.
Look at the Cover Page to compile a profile for this SOC report. Find the company being reviewed, the auditing firm, SOC #, and Type #.
Look at the Scope subsection of the Auditor's Report section to find when the audit was done.
Now, this is one of the two most important parts of your review, so focus with me here. Look at the Scope subsection of the Auditor's Report section to see if complementary user entity controls are employed. If so, go to the Description of Systems section to find all of the details about the complementary user entity controls. And obviously, make sure you are doing those things.
Look at the Scope subsection of the Auditor's Report section to see if subservice provider controls are employed. If so, go to the Description of Systems section to find out what the vendor is doing to monitor the subservice provider controls.
Look at the Limitations subsection of the Auditor's Report section to see if anything happened during the audit that limited the auditor's ability to check everything.
This is the other of the two most important parts of your review. Look at the Opinion subsection of the Auditor's Report section to see if the auditor found anything problematic. Also, note their official "opinion." If the auditor noted significant issues, find the Other section. Management should provide some kind of response to the significant issues found.
If this was a Type 2 engagement, look at the Test Results section to find any and all exceptions encountered during testing. This may include some that were not considered significant enough for the auditor to mention in the Opinion subsection.
And that's it. While it's pretty simple, why not make it easier? We created a downloadable PDF with the above checklist so that you can easily and efficiently review your SOC reports.
