The financial services industry has seen a rise in regulatory requirements for vendor management as more institutions outsource technologies and services. To meet these requirements, institutions need to obtain and review System and Organization (SOC) reports from their service providers to assess their internal control environments. These reports are key to an effective vendor management program and you need to use them properly to ensure that you have complete and accurate information about your service providers’ controls. Below is an overview of what the different report types are, and how to obtain the correct report(s) with the information you need from your service providers.
Identify the SOC Reports You Need
One of the biggest challenges with SOC reports is that there are multiple types of reports available to your institution. Service providers can select a SOC 1 or SOC 2 and then issue them as either a Type I or a Type II. But, what does this terminology mean and how do you know you are obtaining the correct reports?
A SOC 1 (commonly referred to as a SSAE 18) is a report on a service provider’s controls that are relevant to an institution’s controls over financial reporting. This type of report details the controls in place at the service provider that prevent fraudulent financial transactions and provide assurance that your financial records are accurate. SOC 1 reports are commonly issued by providers of core banking services, trust services, general ledger services, and/or payroll services.
A SOC 2 is a report on a service provider’s controls that are relevant to selected Trust Services Principles. The Principles include security, availability, confidentiality, processing integrity, and privacy. A service provider can select a single principle or a combination to include in their report. For each principle, the provider must identify which controls they have in place. The providers who commonly issue SOC 2 reports include managed service providers, cloud service providers, data storage and retention service providers, and data centers.
A Type I report assesses only the design of the controls at the service provider and is generally issued by providers who are undergoing their first SOC audit in order to establish a baseline of controls. This type of report can be identified by having an “as of date” instead of covering a period of time.
A Type II report assesses both the design and operating effectiveness of the controls implemented by a service provider. Because operating effectiveness is covered, this report is stronger than a Type I. A Type II report can be easily identified because it will cover a period of time (typically six-twelve months).
Collect the Correct Reports from Your Service Providers
Now that you have an understanding of the different types of reports, what should you do if your service provider sends you an incorrect report or does not even issue one? Another common challenge faced by institutions is their service providers issue reports that do not cover the contracted services or only cover part of the service performed by a subcontractor (i.e. they forward the SOC report of the subcontractor). If this happens to your institution, you should first follow up with your service provider to assess if a different SOC reports exist that cover the services you are receiving. If the reports do not exist, the options you should pursue will vary based on your vendor relationship and your risk appetite.
First, your institution should seek to collect alternative information regarding the service provider’s internal controls. You can do this by requesting their policies and procedures, performing a site visit, requesting a questionnaire be completed, obtaining internal audit or regulatory examination results, or conducting interviews with their management. If you can obtain this information, no further action is likely warranted. If the service provider cannot or will not provide information on their internal controls, you should add the vendor to a watch list and determine a plan of action. A plan of action may include adding a contractual requirement for a SOC or similar audit, conducting additional monitoring of the vendor, or terminating the vendor relationship. The action taken will depend on your institution’s vendor management program, process for handling vendor issues, and your institution’s risk appetite.
Review Your Provider’s SOC Reports for Completeness
A common misconception is that SOC reports are a “one stop shop” for obtaining all relevant information on a service provider’s internal controls. However, this is not the case. Providers can omit information on internal control areas that your institution may deem relevant or necessary. This is because the service auditor performing the testing can offer guidance on which controls should be included, but it is the service provider who makes the final determination. Service providers are only required to include controls that are required to meet the defined control objectives or Trust Services Principles.
With that in mind, your institution should have a process for thoroughly reviewing the contents of its obtained SOC reports. Consider using a form or checklist to guide your review. You can use a checklist to track information including the type of report, services/systems covered by the report, service auditor’s opinion, control exceptions identified by the service auditor, and the complementary user entity controls. Additionally, using a checklist will help you identify where relevant internal controls, such as those listed below, are included in the report:
- Backup and Recovery
- Physical Security
- System Development and Change Management
- Environmental Controls
- Incident Response and Problem Management
- Logical Access
- Business Continuity Planning and Disaster Recovery
- Risk Assessment Process
If in your review you identify that relevant internal controls are not included in the report, reach out to you vendor for the additional information needed to meet your institution’s due diligence and monitoring requirements.
Knowing what to look for in your provider’s SOC reports and questioning their contents, not only improves your understanding of your service providers’ internal controls, it also allows you to provide your vendor with valuable feedback they can use to improve their reports. Additionally, following these tips and practices, will help your institution meet regulatory requirements and properly manage risks associated with third-party relationships.
To learn more about SOC reporting and vendor management, contact Jason T. Clinton, CISA, CCSFP, IT Assurance Supervisor, at 617-261-8132 or [email protected].