The Finer Points of a Third-Party Vendor's SOC 2 Report

Technology vendors, such as data centers, cloud service providers, and credit card processors, must be assessed as part of an organization’s overall third-party risk management (TPRM) program. A third-party vendor’s SOC 2 report is an essential due diligence element that reveals details about a vendor’s control environment related to one or more of the five Trust Services Criteria – security, availability, processing integrity, confidentiality, and privacy.

This report is conducted by an independent certified public accountant (CPA) who provides an attestation on the vendor’s controls. A SOC 2 Type I report covers the control environment over a single point in time, while a SOC 2 Type II report covers a period of time, typically 6-12 months. There’s also a SOC 2+ report, which expands upon the basic model of a SOC 2 report and evaluates whether a vendor’s controls follow specific compliance requirements.

Reviewing a third-party vendor’s SOC 2 report helps give your organization confidence that your sensitive data is protected, even when it’s stored or handled by a third party. These reviews should be conducted by someone with ample knowledge in information security. Some credentials that can give you a level of confidence that the reviewer is experienced are CISM, CISA, CTPRP, CISSP, etc. 

Here’s an overview of the main components of a third-party vendor’s SOC 2 report and some tips on what to look for as you review this document.

Main Components of a Third-Party Vendor’s SOC 2 Report

SOC 2 reports are generally structured in a similar format, making it easier to find the specific information you need. Each section can offer valuable insights into your vendor's security practices and controls. 

The main SOC 2 sections will cover the following topics: 

• Independent Service Auditor’s Report – This section states the auditor’s opinion of the vendor’s control environment, which may be one of these four types:
  
  • Unqualified opinion – The auditor is confident that the vendor’s controls are accurately described and suitably designed. This opinion in a Type II report also means the controls are operating effectively. 
  • Qualified opinion – The auditor found one or more controls that were not operating effectively or as designed.
  • Disclaimer – There was no evidence to prove or disprove whether a control was implemented or effective.
  • Adverse opinion – Words like “misrepresentation” or “inadequate” are red flags that point to inaccuracies or weaknesses in the vendor’s control environment. An adverse opinion indicates the vendor held back and/or modified information about whether its controls were in place or operating effectively. 
• Management’s Assertion – This is where your vendor’s management team describes its system and control environment and states how its controls are intended to work. Management’s assertion may contain exclusionary language, such as “except for” or “not including,” which should warrant additional scrutiny. The SOC 2 report describes whether the auditor agrees or disagrees with management’s assertion. 
• Description of System and Controls – A vendor SOC 2 report will contain a lot of valuable information in this section, such as a description of its subservice providers (fourth parties), details about its controls, and complementary user entity controls (CUECs). CUECs are the controls that the user (your organization) must implement to ensure the vendor’s controls objectives are met. For example, the vendor may state that the user must have procedures in place to ensure transactions are appropriately authorized.   
• Testing Matrix – This section of a third-party vendor’s SOC 2 report covers the vendor’s testing of controls and evaluating results that are related to applicable Trust Services Criteria. Vendors can choose to be audited on one or more of the following criteria: 
  
  • Security – Is the vendor’s system protected against unauthorized access?
  • Availability – Is the vendor’s system available for operation as promised, contractually or otherwise?
  • Processing Integrity – Is the vendor’s system accurate and trustworthy?
  • Confidentiality – Is customer information protected?
  • Privacy – Is nonpublic personal information (NPI) collected, used, retained, disclosed, and destroyed in accordance with the vendor’s privacy policy? 
  Not all of the Trust Services Criteria will apply to every vendor, so it’s not necessarily a red flag if the vendor chooses not to be audited on every criterion. This is largely dependent on the vendor’s product or service. 

Understanding the basics of a vendor SOC 2 report and how to evaluate one effectively is an important skill to master in third-party risk management. Reviewing these reports as part of your initial and ongoing due diligence will help ensure your organization is continuing to mitigate third-party risk.