5 Types of Vendor SOC Reports

Video Transcript

Welcome to this week’s Third Party Thursday! My name is Aaron Kirkpatrick and I’m the Information Security Officer here at Venminder. Today we’re going to be talking about the five types of service organization control reports, SOC reports for short. If you missed the Third Party Thursday video on the 3 first key points to review in SOC reports, I recommend queuing that up next! Let’s get started...

So what are the types of SOC reports and which type of SOC report did your vendors have performed? Well, there are five types.

• SOC 1 Type I
• SOC 1 Type II
• SOC 2 Type I
• SOC 2 Type II
  and
• SOC 3

SOC 1 Type II and SOC 2 Type II are the most common.

So what are the differences between the reports?

SOC 1 Type 1’s cover an environment which could affect your financial statements if certain controls are not followed. This audit is performed at a point in time. The catch is that With a SOC 1, like the old SAS 70’s, the vendor gets to write their own controls.

A SOC 1 Type 2 has the same base, the SOC 1 part meaning that the controls are decided on by the vendor, but the Type 2 designation means that the audit covers a period of time. Normally 6 to 12 months. 

A SOC 2 Type 1 is the next type. SOC 2’s made their way into the audit scene in mid 2011 and had a slow adoption. SOC 2’s follow the Trust Service Principles of:

• Confidentiality
  
• Availability
• Processing
• Integrity
  
• Security
• Confidentiality

Only a subset of these has to be chosen and each principle has a set of defined control objectives.

The vendor still gets to write and customize the actual control that gets tested, and can also state that certain control objectives are not applicable, but the SOC 2 provides a much more structured and consistent control environment. 

The SOC 2 Type 2 report is the report that we like the best as it provides a more consistent control environment to review and as it’s a Type 2, it covers a period of time, so we know that the controls were in place and operating effectively for that period of time and weren’t just implemented while the auditors were on site one day. A quick note to say that we feel that Type 1 SOC reports covering only a point in time are worthwhile. Type 1 reports can be great when a vendor has a new service offering or is a new company and don’t have the evidence to cover a period of time, yet still need to show your customers and potential customers that the vendor has created a control environment which has been tested by a third party.

SOC 3 is the last type of SOC. Like the SOC 2 it follows the Trust Service Principles. SOC 3’s are mainly used early on in the Sales process as they don’t require a non-disclosure or confidentiality agreement since they are only the auditors and vendors statements and a description of the vendor’s system stating that controls for the chosen Trust Service Principles are in place and have been audited. Once you get further into the vendor selection process we recommend that you review their SOC 2 report as well.

The benefits of reviewing SOC reports are not limited simply to the examiner’s request. There are true strategic business advantages to be gained from them. Again, I’m Aaron and thank you for watching! Don’t forget to subscribe for next week's Third Party Thursday video.