As summer is beginning to roll to a close and fall edges ever closer, the start of year-end reporting is looming over the horizon. October will begin the first big batch of SOC2 reports into our vendor management programs for review. And for Asureti, this also means receiving client questions such as: How do I read this? What do I do with this? I have the report—do I seriously need to read this?
"The bottom line" is that receiving a SOC2 report should be expected for your external partners based on your vendor management program guidelines. However, if you take the approach of “because my vendor management program told me so,” you will miss out on the value these reports provide. We often find the root cause of challenges in reviewing these reports is their length and in some cases additional review spreadsheets that overanalyze the report and take hours to complete.
Let’s face it; you can’t check off a box and shove the report in your file cabinet and say "done".
However, you can perform a useful review of a SOC2 report in under an hour (maybe even in 30 minutes)! Here’s a step-by-step process for reading a SOC2 Report and focusing on the valuable information points.
In an initial scan of the SOC2, review includes determining the following four items:
The answers to these questions guide how in-depth the rest of your review should be.
Consider Microsoft as an example vendor. Microsoft has multiple products and let’s say you want to review their O365 Product and receive an Azure SOC2. You need to stop because the Azure SOC2 is not applicable for O365; you have the wrong SOC2, and need to obtain the right report.
Now, before you take a stab at this step, you may want to refill your coffee because this will be the longest part of your review. Once settled, read through the narrative in search of answers to these questions:
The goal here is to understand the vendor’s boundaries; in your review summary, note information points you are concerned with, but don’t worry about restating everything the report includes. Let’s take a deeper dive into what a CUEC review may include.
Most CUECs include various forms of access controls. For example, a statement regarding terminating user access within an acceptable time frame. Let’s say your organization uses single sign-on (SSO), however, this vendor doesn’t have that capability. This would be something to 1) note as feedback for the vendor as added functionality, and 2) check with your business owner on how they are managing access in that application.
This is a section where you can spend a lot of potentially unnecessary time with your review. You likely do NOT need to read every single control. The benefit of the SOC2 framework is the controls you will expect to see in each section will be similar across the reports – this is a key value of the standard framework and the independent audit process. This review can be streamlined to a few steps:
Let’s walk through an example finding that would cause a concern to report up to leadership. A vendor under review that needs to be available 24/7 – let’s say a data center. Year after year, they have an exception that they are NOT testing their generators and UPS (Universal Power Supply) on an annual basis. You read that in an emergency, there is potential they cannot rely on their backup systems. You would note this as an issue you need the vendor to remediate and inform management of the concern.
Throughout this process, you’ve been logging notes and work to conclude the ultimate question for my vendor:
Am I satisfied with my vendor’s control environment?
Nothing more, nothing less. This is the goal.
Now, you may be thinking "Great"—but how do I put this all together? Asureti has put together an example template and is sharing it along with this article (below). It is meant to serve as a baseline to get you through your SOC2 assessments and allow you to customize to your program.
SOC2 reviews do not need to be tedious; a satisfactory review of your vendor can be performed without overcommitting resources. However, if you are still having struggles with your vendor management program, we have experts more than happy to work with you on any challenge.