Top SOC-related questions answered
By: Stacie Grimm – LWBJ, Mike DeKock – LWBJ and Ben Hall – Pratum
As you may or may not know, Security and Organization Control (SOC) reports are one of the fasting growing areas in the assurance industry and there are many aspects of a SOC report to consider. Because of the growing popularity and lack of digestible content available, we put together a webinar focused on answering the top ten questions we are hearing from clients and prospects about SOC. Following the webinar, we came up with ten additional questions that people are asking about SOC and we wanted to share the information.
1. Q: Where do you foresee SOC for Cybersecurity going?
A: Time will tell. As cybersecurity threats continue to evolve and additional regulations are implemented to protect personally identifiable information (PII) we see SOC for Cybersecurity as another tool for organizations to assess and prove the protections they have in place over their data and their customers’ data. Because these exams are based on pre-defined AICPA criteria (and have the flexibility to use other comprehensive frameworks, such as NIST), they allow for an objective and comprehensive assessment while being flexible. In addition, these reports are for general use (can be given to board members, regulators, investors and customers), which allows for greater distribution. Therefore, we anticipate that these reports will be requested by clients in particular cyber-related industries and in some situations, could replace traditional security questionnaires. But time will tell…
2. Q: Do you think there will be a SOC 3 that will be for large companies and provide an even greater comfort for companies?
A: We don’t believe so, but a SOC 3 report can be customized to include the level of detail the service organization feels comfortable communicating to a wide audience. A SOC 3 does include the auditor’s report showing the type of opinion that was issued (i.e. clean, qualified), which provides that level of assurance to clients, but since its purpose is for greater distribution, we don’t believe the details included in the SOC 3 will be changed. Because a SOC 3 includes all the work required for a SOC 2, most companies choose to get a SOC 2 report with their SOC 3.
3. Q: What questions should I ask a CPA firm to determine if they are considered reputable?
A: Whether you’re reviewing the SOC report of your key vendor or identifying the ‘right’ firm for your organization’s SOC exam, ask enough questions to feel confident they are experts in the field. For instance: How long has your firm been performing SOC exams? How many SOC 1/SOC 2 exams does your firm conduct in a year? What industries do you specialize in? How did you obtain the IT expertise necessary for SOC exams (IT employees, partner with security consulting firm, etc.)? What credentials do your employees have to demonstrate their expertise (i.e. SOC for Cyber Security Certificate badge issued by the AICPA, CISA, CISSP)?
For your own SOC exam, in addition to the CPA’s technical skills, you should consider the customer experience the potential firm will deliver. What is the firms’ process for requesting and collecting items? How do they provide a smooth engagement that minimizes surprises? Will they provide feedback on efficiencies to improve your organization and the examination process?
4. Q: What constitutes a “qualified opinion”?
A: A qualified opinion is issued when the auditor identifies misstatements in Management’s Description or identifies exceptions/deficiencies in the design or operating effectiveness of controls, that are material but not pervasive. For instance, if multiple exceptions were identified in testing that logical access to systems was not removed timely for terminated employees, the CPA firm would likely qualify the SOC criteria CC6.2 as they weren’t able to obtain ‘reasonable assurance’ that the criteria had been met, but the rest of the SOC report could receive a ‘clean’ (unqualified) opinion.
5. Q: Should I request a SOC report from each vendor or specific ones? And do you look at different information in the SOC report based on the vendor, such as one may be supporting a SOX application/system, and another supports a low-risk application/system?
A: We recommend companies weigh the risk of all their vendors, based on established criteria, and tailor their monitoring and vendor due diligence procedures accordingly.
When determining the criticality and risk regarding a vendors’ products and services, it is important to assess the potential impact of that vendor to your overall organizational goals and risk appetite in the event of a data breach, disruption of services or other event that could negatively impact your organization. Vendors classified as critical/high to your organization should be assessed more extensively since there could be a negative impact if that vendor were to have a control failure and potentially expose sensitive organizational data. It is important to note that not all service organizations may have obtained a SOC report and your organization should create a vendor management and vendor risk management plan and process to adequately assess and monitor vendors holistically.
6. Q: Should we expect controls in a SOC report for how the primary service provider reviews the SOC report and the CUECs (complimentary user entity controls) for their sub-service providers (so the client’s don’t have to)?
A: Yes, the primary service provider should include monitoring activities of their subservice organizations (documented in Management’s Description and/or in specific control activities in Section 4) so its clients can assess those monitoring activities. However, depending on the importance of the service the subservice organization is providing to the primary service provider, clients may still find it necessary to obtain the SOC reports of those subservice organizations. For instance, if a service provider processes client data subject to HIPAA, and that data is stored in a subservice organization’s data center, based on the sensitivity of that data, the client would likely want to review the subservice organization’s SOC 2 report for appropriateness, exceptions, etc.
7. Q: What is a SOC 2 + report?
A: A SOC 2+ report is a SOC 2 report that also pulls in other criteria, which become subject to testing and, thus, covered under the auditor’s opinion. Examples include HIPAA, HITRUST, NIST 800-53 r4, ISO 27001, PCI, etc. Alternatively, many of our clients have opted to provide a mapping of that criteria to the SOC 1 or SOC 2 controls in Section 5 of the SOC 2 report, which allows clients to see the mapping, but doesn’t require the CPA firm to include the criteria as part of the examination, therefore providing cost efficiency.
8. Q: What if exceptions are identified during our SOC exam – how detrimental is that?
A: This is not uncommon. The human element aspect to these controls, system changes and staff turnover may cause something to be missed/dropped on occasion. If there are exceptions identified during testing, CPAs take into account their tolerable deviation rate and also look at other qualitative factors to determine the impact on the exam opinion. Those factors could include; what mitigating controls are in place, how pervasive is the exception (systemic issue?) or is it an isolated incident and what other controls are being tested that help accomplish the same SOC criteria/objective? Exceptions have to be reported but frequently don’t result in an impact to the opinion. If they do result in a qualified opinion, that qualification is usually specific to the SOC 2 criteria/SOC 1 control objective that the exception relates to (not the system as a whole). We recommend all of our clients provide a formal management’s response to exceptions for inclusion in Section 5. Organizations should use the identification of exceptions as an opportunity to improve their security culture and to update processes. Remember, that SOC compliance is a daily activity and should be treated as business as usual. Bottom line – learn from these to prevent duplication.
9. Q: I know I need a SOC report, who can do them?
A: A SOC report can only be issued by an independent Certified Public Accountant (CPA). It may seem odd to hire a CPA to perform a service that has little to do with traditional “accounting,” but the profession has evolved with a continually changing technological landscape. However, not just any CPA can provide this service – the American Institute of CPA’s requires your SOC examiner to meet specific technical expertise and training requirements – so you can be sure a CPA working in SOC should have extensive knowledge of the technical aspects included in your SOC report.
The requirement for a CPA is specific to the issuance of the report – you are not required to have a CPA on your management team and may utilize non-CPA consultants to support the planning and execution of the examination.
A good first step in preparing for a SOC exam is to engage with an information security consulting firm with a proven history of performing SOC readiness assessments. Security consulting firms can help identify potential gaps and offer recommendations for improvement, control development and monitoring, and the creation of documentation that is key to SOC compliance.
10. Q: For organizations that are interested in a SOC report but don’t need one for the services they provide, what are some alternatives that a CPA firm could help with?
A: CPA firms also provide agreed-upon procedures or consulting services (i.e. SOX assessments), or, depending on industry, other attestation services, which accomplish the same objective (i.e. transfer agent exams, SEC custody internal control exams, etc.). Keep in mind that one objective of new criteria was that SOC for Service Organization exams could be applied for internal use and enterprise-wide functions and wouldn’t have to be for external communication/use.
If you have additional SOC-related questions that we haven’t answered or if you’d like to consult with one of our experts, please reach out to Mike DeKock.
The link to our SOC webinar can be found here.