At the end of 2023, the article “How to Read a SOC Report: Part 1” was published and started the discussion of sections 1 through 3: The Independent Auditors Report, Management’s Assertion, and the Description of the Organization’s Operations. Part 1 focused on these sections containing the auditor’s opinion, scope, any subservice organizations, a summary of the organization from management, and an in-depth dive into understanding the organization’s system.
From there, Part 2 will now cover sections 4 through 6 of the SOC report: Control Criteria, Complementary User Entity Controls, and Complementary Subservice Organization Controls, Description of Test Controls, and Information Provided by the Organization. The breakdown of these sections will provide a better understanding of how a subservice plays into the SOC, a look at all the controls that apply to the system, and even more information about the organization.
Control Criteria, Complementary User Entity Controls, and Complementary Subservice Organization Controls
The Control Criteria portion of this section lays out the control criteria that are tested in the next portion of the section, Complementary User Entity Controls, and also, if applicable, Complementary Subservice Organization Controls. Complementary User Entity Controls (CUEC’s) are controls that are required to be in place by the user of the service or system being reported upon to ensure that the control criteria are being achieved. The Complementary Subservice Organization Controls (CSOC’s) are controls that management of the organization assumes are in place at the subservice organization. It is important for the organization to call out these controls so that the reader knows what each party is responsible for. The key takeaways from this section are understanding what CUEC’s and CSOC’s are and how they apply to the service or system being tested.
Description of Test Controls
This section is the bulk of the report. All of the organization’s controls are listed here by Common Criteria (CC). The CC is a framework set to specify functionality and compliance requirements. In each CC, the report will list the control, the test(s) the auditor completed, and the results of the test(s). If the control meets all of the test requirements, the results will show as no exception noted. However, if the control does not meet all of the test requirements, the results will show as exception noted.
A brief summary of what failed and why it failed will be provided in the results. It is important for the reader to review each control and note any potential problems that could arise on the reader’s end if the organization’s controls had exceptions. Sometimes controls do not operate during the period, and the word or phrase “Planned” or “Planned Testing” will appear in front of the auditor’s test. In most cases, if a control is not operating, it will not affect the opinion of the SOC; however, the auditors do like to point out that the control was unable to be tested. Recent standards call for auditors to confirm that a control did not operate during the period. This reassures the reader that the control did not in fact operate. The key takeaways from this section are that the reader is aware of all the controls that make up the system and they are able to see how each control was tested and if there were any exceptions noted.
Information Provided by the Organization
This section is usually only included in reports that have exceptions; all of the exceptions in the report are described in greater detail and management’s response to the exception is provided. This section allows the reader to determine the severity of the exception based on how they use the organization’s system or service.
In some SOC reports this section is used to provide the reader with additional information about the organization that the organization feels it is important to communicate but is not covered by the report or opined upon by the auditor. The key takeaways from this section are to get an understanding of how management plans to solve their control exceptions, as well as get additional information about the organization not covered by the scope.
With the conclusion of this article, all six sections of a SOC report have now been covered. There is a lot of information in these reports, and, hopefully, these two articles provided a better understanding of how to read SOC reports.
If your entity is interested in obtaining any additional information on SOC reports or if there are any other questions related to SOC, please contact us. For more information, be sure to visit our System and Organization Controls (SOC) service page and don’t hesitate to contact Dave Hammarberg, CPA, CFE, CISSP, GSEC, MCSE, CISA regarding our services.