You Have a SOC2 – What Next?

September 15, 2021

As summer is beginning to roll to a close and fall edges ever closer, the start of year-end reporting is looming over the horizon. October will begin the first big batch of SOC2 reports into our vendor management programs for review. And for Asureti, this also means receiving client questions such as: How do I read this? What do I do with this? I have the report—do I seriously need to read this?

"The bottom line" is that receiving a SOC2 report should be expected for your external partners based on your vendor management program guidelines. However, if you take the approach of “because my vendor management program told me so,” you will miss out on the value these reports provide. We often find the root cause of challenges in reviewing these reports is their length and in some cases additional review spreadsheets that overanalyze the report and take hours to complete.   

Let’s face it; you can’t check off a box and shove the report in your file cabinet and say "done".

However, you can perform a useful review of a SOC2 report in under an hour (maybe even in 30 minutes)!  Here’s a step-by-step process for reading a SOC2 Report and focusing on the valuable information points.

Step One – Initial Scan

In an initial scan of the SOC2, review includes determining the following four items:

  1. What criteria did the auditor assess? Did they assess all criteria I am expecting? (i.e. security, availability, etc.)
  2. What is the time period covered?
    • Look for full-year, no-break coverage. For example, a report dated October 1st through September 30th every year you receive the report.
  3. What product is the report covering?  Does this match with the services/product you engage the vendor for?
  4. Was a qualified or unqualified opinion received?
    • You want to see an unqualified opinion.  Qualified opinions mean you cannot rely on the organization’s controls. You will need to follow your vendor management program guidelines on what to do next.

The answers to these questions guide how in-depth the rest of your review should be.

Consider Microsoft as an example vendor. Microsoft has multiple products and let’s say you want to review their O365 Product and receive an Azure SOC2.  You need to stop because the Azure SOC2 is not applicable for O365; you have the wrong SOC2, and need to obtain the right report.

Step Two – Read the Narrative

Now, before you take a stab at this step, you may want to refill your coffee because this will be the longest part of your review. Once settled, read through the narrative in search of answers to these questions:

  1. Do I understand what the vendor’s product does for me and how my data is processed? Could I explain it in a paragraph to my leadership to support reasoning if I have concerns about the vendor?
  2. What controls am I, the customer, responsible for maintaining?
    • These are referenced in the CUEC – Complimentary User Entity Controls Section. These are controls your organization needs to have operational to keep the environment functioning appropriately.  Do you have them?
  3. Who are my vendor’s partners?
    • Who are the strategic partners my vendor works with and what are they responsible for? Do I understand what, if any, of my data they may have access to or process?

The goal here is to understand the vendor’s boundaries; in your review summary, note information points you are concerned with, but don’t worry about restating everything the report includes. Let’s take a deeper dive into what a CUEC review may include.

Most CUECs include various forms of access controls.  For example, a statement regarding terminating user access within an acceptable time frame. Let’s say your organization uses single sign-on (SSO), however, this vendor doesn’t have that capability. This would be something to 1) note as feedback for the vendor as added functionality, and 2) check with your business owner on how they are managing access in that application.

Step Three – Control Review

This is a section where you can spend a lot of potentially unnecessary time with your review. You likely do NOT need to read every single control. The benefit of the SOC2 framework is the controls you will expect to see in each section will be similar across the reports – this is a key value of the standard framework and the independent audit process. This review can be streamlined to a few steps:

  1. What controls have exceptions and what are those exceptions? Are any of the findings repeat findings (i.e. a finding shows up year-after-year)?
  2. Review management’s response – are you satisfied with how they responded and the time frame in which they fixed the problem?

Let’s walk through an example finding that would cause a concern to report up to leadership. A vendor under review that needs to be available 24/7 – let’s say a data center. Year after year, they have an exception that they are NOT testing their generators and UPS (Universal Power Supply) on an annual basis.  You read that in an emergency, there is potential they cannot rely on their backup systems. You would note this as an issue you need the vendor to remediate and inform management of the concern.

Step Four – Final Assessment

Throughout this process, you’ve been logging notes and work to conclude the ultimate question for my vendor:

Am I satisfied with my vendor’s control environment?

Nothing more, nothing less. This is the goal.

Now, you may be thinking "Great"—but how do I put this all together? Asureti has put together an example template and is sharing it along with this article (below). It is meant to serve as a baseline to get you through your SOC2 assessments and allow you to customize to your program.

SOC2 reviews do not need to be tedious; a satisfactory review of your vendor can be performed without overcommitting resources. However, if you are still having struggles with your vendor management program, we have experts more than happy to work with you on any challenge.