Using a SOC Report to Evaluate a Service Organization: Part 4 How do I review the results of the service auditors’ testing and other information provided by the service organization?
This is the final article of our Using a SOC Report to Evaluate a Service Organization series. In these articles we have explored each component of SOC reports and what you should look for when you review any of your service organizations’ SOC reports. As a reminder, the components of a SOC report are included below. In this article we will discuss what to look for when reviewing the results of the service auditors’ testing and any other information that has been presented by the service organization in the report.
Components of a SOC Report
The components of a SOC report that you should review closely, which each provide specific information to support vendor due diligence and the evaluation of outsourced controls, include:
- The service auditors’ report
- Management’s assertion
- The content of the description, including either
- The control objectives specified by management (SOC 1); or
- The trust services categories selected by management (SOC 2)
- Any complementary user entity controls (CUECs) or complementary subservice organization controls (CSOCs) specified in the report, which are included as part of the description
- The results of the service auditors’ testing
- Other information presented by the service organization
The Results of the Service Auditors’ Testing
The results of the service auditors’ testing are presented after the description of the system in the SOC report. Type 1 reports will present the controls implemented by the service organization and type 2* reports will disclose the controls along with the corresponding tests performed by the service auditor to test the operating effectiveness of the controls.
When reviewing the results of the service auditors’ testing, for key controls, you should inspect the test procedure for sufficiency based on your organization’s expectations. In addition, you should review any and all testing exceptions for applicability and potential impacts to your organization and review any included management’s response(s) for remediation efforts.
*Note: we covered the difference between type 1 reports and type 2 reports in our previous article about the service auditors’ opinion and management’s assertion.
Exceptions Identified Through the Service Auditors’ Testing
Exceptions or deviations occur when the service auditors’ testing identifies instances where a control was not reasonably designed or did not operate effectively. When identified, the service auditor will describe the nature of the exceptions. Additionally, any exception in operating effectiveness noted in a SOC report should disclose the number of items tested and the number of exceptions noted.
When an exception is noted in the results of testing, service organization management can choose to provide a response to the exception within the results section or include it in a separate section of the report. The response is typically included in the “other information” section when the actions taken by the service organization are forward looking and outside the examination period.
Other Information Presented by the Service Organization
Information presented in this section of the report is information that is outside of the scope of the SOC examination but is information the service organization would like to communicate to users of the report. This section is not a part of the system description and has not been subjected to the service auditors’ procedures; however, this doesn’t mean that you can’t rely on the information provided. While the service auditor is not performing procedures over the information, the service auditor is required to read the information and ensure there are no material inconsistencies or misstatements of fact with the information.
We hope this series of articles has been helpful for you to allow you to identify the information you should be focusing on in your review of your service organizations’ SOC reports.
Disclaimer of Liability: This publication is intended to provide general information to our clients and friends. It does not constitute accounting, tax, investment, or legal advice; nor is it intended to convey a thorough treatment of the subject matter.