It’s important for your clients and internal stakeholders to know how your business handles sensitive data. SOC 1® and SOC 2® reports offer valuable insights into your organization's technology risks, security measures, and implemented controls. These reports can be shared internally and externally to demonstrate your commitment to data security and set your business apart.
Here are some of the key elements to focus on as you review and share your SOC report.
Auditor opinion: Your report card
After testing the design and operating effectiveness of the business controls that were identified by your management team during the observed period of a Type 2 audit, the auditor will provide their opinion in your report. The opinion, which is arguably the most important element of a SOC report, can be one of the following four types:
- Unqualified opinion: The auditor confirmed that the tested controls were designed and operating as described.
Please Note: It is possible for an organization to receive an unqualified opinion even if they have non-occurring controls or exceptions. - Qualified opinion: The audit firm identified matters that were material – meaning that some key controls at the organization weren't designed well or didn't operate as described – but not pervasive.
- Adverse opinion: The audit firm identified both material and pervasive issues that would prevent the vendor from achieving either all or most of its service commitments and system requirements.
- Disclaimer opinion: The organization didn't provide the auditor with enough information, so they were unable to form an opinion.
The opinion is located in Section 1 of your SOC report (you can also use Ctrl+F to search for "opinion" in the report).
Subservice organization: Evaluating your entire service delivery chain
A vendor that is part of your organization's system but is not the primary entity being assessed for SOC compliance is called a "subservice organization." Businesses often depend on the security controls that are in place at subservice organizations, so including them in SOC reports is crucial to providing a comprehensive view of your entire system. Be sure that you read and understand what services are outsourced to a subservice organization, how the organization is being monitored and assessed, and whether they meet the standards of your business.
If a list of subservice organizations is included in your SOC report, it can be found in Section 3 (you can also use Ctrl+F to search for "subservice" in the report).
Complementary User Entity Controls (CUECs): Assessing security effectiveness
These controls, which can be referred to as client control considerations or user control considerations, reside at the user entity level within a service organization. User entities are organizations that utilize the services provided by a service organization. CUECs can be found within a SOC report for any service organizations that are used by your business. Your SOC report will provide insights into how well CUECs are implemented and how they contribute to your overall security.
To illustrate how CUECs work, imagine a user entity utilizing a common file-sharing program like Dropbox. When an employee leaves the company, it's the responsibility of that user entity to revoke the former employee's access to the file-sharing program. Dropbox has no way of knowing when a user entity’s employee access should be removed. As a result, it becomes the user entity's task to ensure that former employees lose access to the file-sharing program upon termination.
CUECs are located in Section 3 of your SOC report.
Control narratives: Your security blueprint
Control activities act as a playbook for keeping things secure. They're statements that outline how your business plans to tackle risks and make sure your environment stays safe. Each business needs to determine which controls are critical for them.
SOC 1® and SOC 2® reports evaluate how well your security controls are designed and if they are working as planned. Take the time to carefully review the control activities that are aligned with your organization's risk profile to be sure that they are relevant and sufficient.
Control Narratives can be found in Section 4 of your SOC report.
Exceptions: Unanticipated control issues discovered
Exceptions are noted during testing when a control isn't working the way it should. After testing has been completed, they are documented within your SOC report and should be reviewed. As you look through the critical controls for your organization, check to see if there any exceptions. If so, you should evaluate how they might impact the security of your organization's data.
Exceptions are listed in the Test Results Column (or equivalent) of Section 4 and/or in Section 5 of your SOC report (you can also use Ctrl+F to search for "exception" or "out of" in the report). Section 5 might also provide details about the steps that were taken to assess and/or remediate the exception(s) and/or enhance the controls following the examination period.
Have a Question?
Fill out the form to speak with one of our professionals.