Understanding Your Vendor's SOC Report - The Basics

Podcast Transcript

Welcome to this week’s Third Party Thursday! My name is Lisa-Mae Hill and I’m an Information Security Specialist here at Venminder. In today’s podcast we’re going to discuss the basics of a vendor SOC report. 

A SOC report is an independent audit report performed by a public accounting firm. The report will attest to the existence and effectiveness of controls specified by the company that’s being audited, your vendor. Basically, the report should tell you if your vendor has the right controls in place to safeguard your data and if those controls are actually working, based on the scope of the audit.

It's important to thoroughly review the vendor SOC reports as you obtain them. When you receive the report, it’s not only imperative that you read it, but also that you review and truly understand the report. As you review the document, begin drafting an analysis that identifies any gaps and the complementary controls.

The best way to start your review of a SOC report is to understand what to look for in the report and how to Identify the gaps in your third party’s controls.

When reviewing a SOC report, it’s important to look at and review the following areas:

1. The reporting period – you want to make sure the report is the MOST current available and that it’s recent. If a SOC review was not done within the last 18 months, request additional information from the vendor. They may be able to provide a GAP letter, or bridge letter as some call it, which is a letter issued by your vendor that covers the gap between the last SOC report period ending date and the date of the letter. It can be used by you as an interim assurance by management while waiting for the next audit.
   
   
2. Organization and administration – This section gives you information about the vendor itself. How are they set up, who is responsible for what and what kind of management structure they have in place.
   
   
3. Products and Services – You want to make sure that the report you are reviewing covers the products and services YOU utilize from the vendor. Many vendors have several reports for different products and services and they could all be different.
   
   
4. Understand the information system – Understanding what type of information a vendor process and how they protect it is critical. Your vendor should provide information regarding how they secure servers, networks and computer systems.
   
   
5. Review data center information – access controls, environment and the monitoring of this infrastructure. Data center protections are crucial to protecting information. Understanding how a vendor manages their data center and ensures their infrastructure is resilient and available at all times is important.
   
   
6. Control objectives and activities – This is where the audit firm will actually test the controls in place and determine if they are operating effectively. Identifying failures and areas that are not operating effectively as well as remediations that are in place are an important tool in determining if a vendor can provide you the service they are contracted to provide.

It’s important to identify gaps when reviewing each area within the SOC report and to document any findings. Have a qualified individual, such as a CISSP, perform the review and write up an expert analysis outlining the overall findings.

Your examiner will want to see the actual SOC reports on file for your vendors, as well as a qualified review of the audit report(s) acknowledging your understanding of strengths and weaknesses. The review should be done by qualified personnel who understand what controls should be in place at your vendor and the severity of any findings.

Again, I’m Lisa and thanks for tuning in to this week’s Third Party Thursday; if you haven’t already done so, please subscribe to our series.