S3 E27: How to Read a SOC 2 Report
Audio version
How to Read a SOC 2 Report
Transcript
Jordan Eisner
All right, here we are again, Carol. I’ve lost count. I don’t know how many times now you’ve been on the podcast. It’s got to be near 10, if not higher. So good to have you back in familiar territory.
I’m, I’m interested in this one personally, you know, having been in this industry for more than 10 years, always throwing around SOC 2 reports, give me the SOC 2 report. They need a SOC 2 report. We have to have a SOC 2 report, but what we’re going to talk about today and what I think is becoming increasingly important.
Carol Amick
Thank you.
Jordan Eisner
Is how to read them, how to interpret them, how to know if they’re quality, how to.
Identify where there could be risk because there’s a not saying it’s a fact, but there’s a feeling in the industry that the quality perhaps of reports is decreasing. And So what was a means of ensuring good data stewardship and practices?
Around client data could have holes. So in this podcast today, which is brought to you by CompliancePoint and referred to as Compliance Pointers and all, as all our listeners and watchers know, we’re going to be talking exactly about that. How do you read a SOC 2 report? What are the key things to look at? What’s even in it?
To start with and and what do you need to hone in on? What do you need to understand? And if you in the shortage of time that everybody has, how can you most efficiently review them, leverage them to understand risk and then move on with hopefully adding vendors or?
Asking for more due diligence from a vendor and review. So we’ve got Carol Amick, she’s a CPA, plethora of experience in SOC 2 audits, but also other information assurance audits including high trust assessments and regulatory expertise when it comes to HIPAA.
Consul, you know, consulting expertise, expertise when she’s worked for the clients and actually been a VP of compliance at different organizations. So she brings a lot to the table. She’s a familiar face on these podcasts and she’s going to talk to us today about it. So Carol, first and foremost.
What’s in a SOC 2 report? What are the basic components?
Carol Amick
So you know that it’s going to have the same basic components regardless of who does your audit or what’s in it. It’s going to have the auditor’s report, which is basically the report from the CPA firm that tells you what they did and what the results were. And most people flip right to the bottom of that and look for was it a clean opinion or not?
Are what we call a qualified opinion and we’ll talk about exceptions I think later. It’s also going to have management’s assertion and that’s basically where management is telling you and the CPA, yes, everything I gave you is correct because keep in mind a SOC audit is not designed to find fraud, it’s not designed.
To find things that are being, you know, lies and stuff. So you really kind of are the client and the CPA have to work together. But this it is this client, it is our client’s job as a CPA and we’re dealing with somebody getting a sock. They have to be honest with us. So that’s the assertion is them saying we’ve been honest and here’s what we told you.
I mean, then there’s a description of the system and that’s something you really want to look at because you want to be sure that the system they gave you the audit for is the system that you’re buying from the service provider. A lot of people, for example, we talked to a company just this week that has five.
SOC audits for various product lines. A lot of people have more than one service, and they may be putting all of that in one audit. They may be auditing only part of it, only one service, and you’re buying something else. So you want to read the description of the system and make sure it’s what you.
Are getting from your service provider and then it comes to the trust services criteria and the related controls and that’s the biggest section of the report. That is where the various criteria that the auditors.
Jordan Eisner
Fine, right. That’s a great point.
Carol Amick
Are auditing you against and the controls that the client, the service provider has put together are laid out along with a brief description of what the CPA did. And it is brief because what the CPA does is a lot more intense than what you’re going to get in that little paragraph. And then the and then the conclusion, whether there was, whether there were exceptions noted or whether.
Jordan Eisner
Right.
Carol Amick
Whether it you know worked the way it was supposed to. So those are the big components of it. There is some other information management can provide. We talked about if there are exceptions, as I said that can they can respond to exceptions and explain why they happened and are there create their corrective action plans that they have in place for something that was an exception.
Because not every exception is going to result in an adverse opinion. I mean, it just depends on the problem and how big it is and what the risk it would make to the organization.
Jordan Eisner
OK, so that’s the basic breakdown then. What are the most important parts?
Carol Amick
So two things. One was, as I talked about making sure that you’re you’re getting a SOC two that covers what you want it to cover. And the second is what are the trust curse services criteria and the related controls. Every SOC 2 report will have security. That is the AICPA who kind of governs and oversight says you have to have security they call the common controls. A lot of times you’ll see them referred to by CC. Those are your basic security controls. You have an option to put in availability. You have an option to put in confidentiality, privacy and processing integrity.
Jordan Eisner
As the five criteria that could be applicable.
Carol Amick
Those are the five criteria. Clients pick the face of what they want. So for example, if you were to get a hold of a WSS.
Audit report, soft audit report. It always is going to cover availability because if you’re a cloud service provider, what’s one of the most important things you can do? Keep the thing up and running. Yeah, availability. So you know, sometimes some of those criteria aren’t relevant just because of what the client, the service provider may be doing. You know, it just may not be important to you. Security is always the biggie, but the criteria are pretty high level. So underneath these criteria, the service provider has to list out the controls they’re doing to put in place that criteria.
So, you know, there’s, you know, we have a system in place to make sure we’re doing things right, that people do the right thing, that there’s integrity. That’s kind of one of the security controls, actually, a whole thing about integrity. You want to look and see what they’re asking and does it, does the.
Control kind of give you a feeling that they’re really doing the right thing. I’ll give you an example. We had a client take this out of their report because we were like, what does this actually give them? It says human resources recruits qualified candidates for us to interview, OK.
What? How did that help them through the security of the system? It’s just kind of like, OK, yeah, that’s their job. That’s not necessarily a control that you want to allow for system security. You know, you do want to make sure that they do a background check. For example, human resources did a background check to make sure that our employees, you know.
Have some don’t appear to be criminals or things like that. That’s at a control that you’re going to rely on, but not necessarily that they went out and recruited good people in the beginning. So you want to look at those controls and see if they look like they’re making sense and if they’re covering the things that you’re concerned about that you’re relying on the service provider to do because.
The report is their whole environment, but you may be concerned for your environment about something particular they do. So you want to look at that criteria and make sure that you know things they’re doing makes sense and go for that. The other thing is if there’s an exception, you want to look at what their.
So that exception has been that should be documented, as I said in the other information, and then you want to decide if that’s a problem for you. And I will use an example. When I was in industry, we were a publicly traded company and we had a vendor that we would get their sock every year and there was an exception.
That was material to our Sarbanes-Oxley audit process, which meant we had to do special auditing on our system to make sure that we were good so that we could be get a clean opinion from our CPA firm. So you’re looking to see, OK, they’ve got a problem.
What do I need to do on my side to protect our system? We had already put the control in place. We knew this particular vendor was never going to fix this particular problem. It’s just Layla plus. And so you know, for our auditors though, we had to go in and do special auditing to prove to them that we had mitigated the risk our vendor had exposed us to.
Jordan Eisner
And then for your SOC 2 odd or for your or for your Sarbanes-Oxley odd.
Carol Amick
For our now for our well, ours was a Sarbanes-Oxley. Yeah, we were public of trade, so we had a Sarbanes-Oxley attestation problem.
Jordan Eisner
But your point there is, is the importance of not only are there exceptions or not, but what’s the type of exception and how material is that to our business and our obligations?
So a qualified report is also what you would consider or what you coined a clean report. And that means no exceptions, correct? No.
Carol Amick
Yeah.
No, a non-qualified report.
Jordan Eisner
Non-qualified. See all this lingo.
Carol Amick
Qualified means I’m giving you an opinion, but the opinion says you’ve got a problem. So that was are not very common. Partially 2 reasons. One, usually most people design their controls so they know what they’re going to be audited about. It’s not like the CPA firm shows up.
And it’s a surprise what we’re looking at. I mean this is so it is not incredibly common to get a qualified opinion, but the qualified opinion will be, you know, because of this gap. So let’s just, I’m making this a worst case scenario. Let’s just say we got there. It turned out your firewall rules were set up as the CPA. We got there and audited your firewall rules were set up to allow all.
And you know, there was no weeding of people out. Anybody who wanted to could just log into your system. That would get you a qualified opinion because you know, obviously you are not protecting people’s data if you’re letting anyone in. But you know, on the other side, if we tested twenty-five new hires.
And one of them hadn’t completed training within the timeline you outlined in your control. So you said everybody has to be trained on security within 30 days. Jordan didn’t get us done till 45, then that would be an exception, but it wouldn’t necessarily cause you to fail your audit. It would just be noted as an exception. You would put in there that you know.
Working with HR to develop an exception report that says logged this person off at day 30 if they haven’t finished training. So you know, yeah, so that’s how you kind of have to look at it. When you’re the CPA, you’re kind of looking at that and making that judgment call as to does this.
Jordan Eisner
OK.
Carol Amick
Really compromise the security of the system of the services or is this just, you know, an exception?
Jordan Eisner
And that’s when it’s spelled out. So what about when it’s not? What about when it’s a non qualified report? Clean. But perhaps I’m not saying this happens. It’s a suspect auditor.
Is there a way to, you know, sniff that out? Is there a way to look at the controls that were tested or or is the report not really the vehicle to flush that out?
Carol Amick
There, there are things you can look for. One is I told you that the auditor should be putting in a brief explanation of what they’ve done. So you want to look at that. You want to see that there were samples, for example, on new hires, there were samples over the whole audit period. So if your audit period, we we talked about this before, if your audit period is.
Nine months or a year. The sampling period should be nine months or a year. So you’re looking for whether samples pulled that covered the whole audit period. I’m do the is there does it say you know I was looking when the is it acquired of the CEO and firewalls and you know that an intrusion detection system was in place and.
I’m like, OK, well, did you see the alerts? You know, inspected alerts, inspected reporting should be the next step. There should be. OK, we then inspected the alerts. So you’re looking for the quality of what they did. You do want to make sure that the firm is registered. You know it with various national county standards boards is kind of who generally registers the firms. You know that’s and they should be saying in their letter too that they are abiding by the AICPA guidelines. Also I did see one SOC report that.
Jordan Eisner
OK, that’s a good one.
Carol Amick
Was based did not even include the common controls, the security controls. That would have raised a red flag to me about that auditor. Because if you read the AICPA guidance, you’ve got to include these controls. You can include other frameworks. We talked about this in our other podcast. You can then go out and get the PCI framework. You can go grab some.
Jordan Eisner
Yeah.
Carol Amick
This controls you can add new controls and on top of that this one was actually based on the HIA standard only which was iffy, in my opinion at best. I I just felt like that was a sign that we weren’t paying attention to what the guidelines are for the for the requirements for SOC 2 at that CPA firm.
Jordan Eisner
So you got to know a little bit. You’re looking at the quality.
And the answer to this might be no. Is there anything that jumps off immediately in a report as a red flag? OK, yeah, sure. Maybe they’re not registered. Maybe they don’t talk about sampling or some make sense logical next steps and what they actually did, or they don’t include security.
Carol Amick
Yeah, you want to. Yeah, that would be red flagged. You want to read what they say they do. You want to read their opinion. You want to read the whole letter. I’ve seen somewhere that’s very evident that they’re kind of saying the letter they’re taking. They’re really relying an awful lot on management’s assertion.
Jordan Eisner
As a criteria, any other red flags?
How long is a typical letter?
Carol Amick
It’s kind of like you know and it when the SOC reports you do, when the SOCs you do, for example a SOC 2 type 1, if you read the audit letter on that, it will say we relied heavily upon management’s assertion because the type 1 report does not have any auditing, and that may be, you know that we didn’t talk about that, but that’s also something to look at when you’re looking at the report. What is the type that SOC one and SOC 2 type 1 doesn’t really have a lot of auditing. It is an evaluation of the controls. So it is only going to rely on management’s assertion. But I saw one the other day where they tried to pretend that was for a year and that doesn’t work either. It’s that management assertion is a point in time, so.
Jordan Eisner
Where are you seeing all these sock reports, Carol? All these sketchy sock reports?
Carol Amick
Um, I am.
Jordan Eisner
You don’t have to. You complete the fair.
Carol Amick
I troll, actually I go, I do Google search and type. I was looking, I was looking for an example of a SOC 2 type 1 and Google searched it. So yeah, they’re not missing our clients. I’m not saying that I’m not getting them from our clients, so.
Jordan Eisner
There you go. Let the record state.
Yeah, that was a trick question. And let the record show that Carol did not say any of our reports or our clients.
Carol Amick
No, they’re not under four chart lots. I Google searched it. So yeah, so you want to read that letter and see if they say they rely are and if they rely a lot on management search. Now the top one, they’re going to because the top one is.
Jordan Eisner
Yeah, there you go.
Carol Amick
Really, and that’s something else to look at. If it’s just a type 1, all they’re telling you is the control has been designed and is has been management has set it’s in place. A type 2 says the control has been designed and we have tested it and it works. So you want to, you know, that’s the difference.
And a type 3 is generally just a report summarizing what was done in the type 2. And if client gives, if you get it from one of your clients, a type 3, you should be able to also get us top two. They have the type 2. I I don’t know if I’ve ever heard of you by issuing just a type 3, but the type 3 leaves out some confidential information. So a lot of people, a lot.
Jordan Eisner
Yeah. OK. So, so, so correct my thinking on this, because I think we just made sense. There’s not gonna be a SOC 3 without a SOC 2, because my understanding was that the SOC 3 is essentially an abbreviation of the SOC 2 that can be publicly facing. OK.
Carol Amick
People like it to put on their website.
Yeah, it’s it’s, I call it, call it the the public relations or the press release side. You can put it on your website without really worrying about how much information you’re giving your competitors, how much information you’re giving people who might have nefarious.
Jordan Eisner
Yeah, yeah, I’ve seen, I’ve seen through Google search and various other means a lot of information security professionals saying that they never pay attention to that and always request the SOC 2 report.
Carol Amick
That is so.
Yeah. So well, for example, you talked about, I do a lot of other certifications and I do the high trust certification for us and high trust has been very clear that if if as a high trust auditor, if we are relying on a SOC report, it must be a SOC 2, type 2. It cannot be a type 1 and it cannot be a type 3. It has to be that. That report showing all the audit and what was done. So, you know, and I think probably other regulatory bodies that, you know, you’re using the SOC to show that kind of thing are going to want that same thing. Yeah, you’re saying to their, you know, we’re relying on our search fighter, here’s evidence. They do it. They’re not going to be happy if your evidence is a SOC one or a SOC 3. It’s going to have to be that type 2.
Jordan Eisner
I think that’s enough for the topic today. I think those are some quick hitters for people evaluating SOC 2 to quickly look at. And I I’d say to our listeners and watchers, do you have any further questions on that, how to evaluate it? If you’re in the market for a SOC 2 report or need an auditor, please don’t hesitate to reach out compliant.
CompliancePoint.com You can e-mail us at connect@compliancepoint.com. Carol and I are both available on LinkedIn if you want to message us that way. So until next time, Carol, thank you for all your input.
Let us help you identify any information security risks or compliance gaps that may be threatening your business or its valued data assets. Businesses in every industry face scrutiny for how they handle sensitive data including customer and prospect information.