Pub. 12 2017-2018 Issue 3

WWW.NEBANKERS.ORG 18 Quick Guidelines for a SOC Report Review Leticia Saiid, Security+, CoNetrix A SOC REPORT IS ONE OF THE MOST valuable due diligence docu- ments you can obtain from your vendors. A Service Orga- nization Control (SOC) report describes a vendor’s systems and indicates if those systems are designed to protect you, as a user. While the first step in obtain- ing a SOC report from your vendor is fairly simple, the second step involves reviewing the report, which requires a bit more effort. This article highlights the basics of reviewing a SOC report. SOC reports have fantastic structure. You can find most of the information you need in the brief Independent Service Auditors Report section of the document. Report Type To determine the report type, you must first determine whether the report is a SOC 1, SOC 2, or SOC 3. A SOC 1 report addresses internal controls, as pointed out by the service provider. A SOC 2 report addresses the five Trust Services Criteria. Larger service orga- nizations often provide SOC 2 reports, as they are much more complex, ex- pensive, and invasive engagements. A SOC 3 report is a SOC 2 report without any included results. SOC 3 reports are typically used for marketing purposes. Second, youmust determine whether the report is a Type 1 or a Type 2 . A Type 1 report focuses solely on the descrip- tion of the vendor’s controls and the suitability of each control’s design to achieve the control objectives. A Type 2 report additionally includes an auditor’s opinion on the operating effectiveness of the controls to achieve the control objectives. Though the Type is typically identified in an obvious way, you can also determine the Type based on the timeframe. Type 1 engagements have a single “as-of” date, whereas Type 2 engagements have a timeframe. SOC TECH TALK