SOC Simplified: How to Review a SOC Report

If you work with third-party vendors, especially those handling financial data or sensitive information, you’ve probably come across a SOC report. But these reports aren’t always straightforward. SOC reports can be dense, technical, and easy to misinterpret if you’re not sure what to look for.

In this short video, Richey May experts walk through five key things you should know before reviewing a SOC report.

1. Make sure it’s the right report type.

SOC 1 reports focus on financial controls. SOC 2 reports focus on controls around data security and privacy. Also, check if it’s a Type 1 (point-in-time) or Type 2 (over a longer period), and confirm the report covers a recent time frame.

2. Understand the opinion.

SOC reports aren’t compliance certifications, they’re a report from an independent auditor where they offer their opinion on internal controls. Look for an unmodified opinion, considered a “passing grade,” and dig deeper into any qualified or adverse findings.

3. Look at the testing details.

Section 4 of the report shows which controls were tested, how they were tested, and the results. Stronger testing includes evidence, not just interviews or inquiries.

4. Pay attention to exceptions.

If any control failures or deviations are listed, read the vendor’s management response to understand how they’re addressing the issue.

5. Know your role.

CUECs (Complementary User Entity Controls) are responsibilities that fall on you as the user of the service. A simple analogy: the vendor provides the car with locking doors, but you have to be sure to lock the doors.

SOC reports are valuable tools when used correctly. Watch the full video above for more insights on how to read them effectively and what to watch out for.