December 9, 2014
Evaluating Year-End SOC Reports – Best Practices
Posted by Steve Shofner
As the calendar year end approaches, it’s time to start collecting and analyzing Service Organization Controls (SOC) Reports. SOC reports are independent audit reports regarding your service providers’ controls. Since most organizations choose the calendar year as their fiscal year, vendors and their SOC auditors plan to complete their SOC audits and deliver the reports around now, close to the end of the year. This helps ensure that the related testing was completed as close to year end as possible, which is important for financial statement and Sarbanes-Oxley (SOX) audits.
When obtaining the SOC reports, remember they are audit reports, not certifications. The report may include red flags, and it’s incumbent upon you to read them and determine if there are any matters that negatively impact the service you receive. Be sure to consider these items when evaluating SOC reports:
- Determine the scope and coverage of the report. Does the information in the report match the specific service being provided to you?
- SOC 1, SOC 2, or SOC 3
- Type I or II report
- Date Coverage
- Service / Application Coverage
- Processing Centers / Data Centers Coverage
- Cities / Countries of Processing Centers
- Use of Sub-Service Providers (inclusive or carve-out approach)
- Check for Control Issues
- Adverse and/or Qualified Opinion
- Missing Controls
- User Control Considerations
- Testing Exceptions
Depending on the timing of the SOC report, there may be a gap in coverage. For example, there are some major service providers whose SOC reports are provided around May or June. If your fiscal year end is December, that’s a six month gap in coverage for you.
In these instances, you need to obtain a “Bridge Letter” from the vendor. This is usually a one to two page document from the vendor on their letterhead stating the processes and controls covered in the last SOC report have not changed since the report was issued. If there have been changes, those should be noted and described in the letter, including any impacts to your organization. Since this type of communication is not based on an audit by an independent third-party, it does not provide the same value to the reader. However, most processes and controls are static and don’t change from year to year. So, these letters provide enough assurance and accountability in these situations, and they are typically accepted by most organizations and their auditors,
If you are unfamiliar with this process, check with your internal or external auditor, who should be able to provide some guidance, training, and or useful templates to use when evaluating SOC reports and Bridge Letters.