In a previous article we stressed the importance of proper Vendor Risk Management. But how do you actually review a SOC 2 report, especially if its 85 pages long? This article will help you identify the key elements of a SOC 2 report and provide you with helpful tips for assessing the vendor's adherence to their security commitments.

In most SOC 2 reports, you will find four sections and an optional fifth section;

• Section 1 - Independent Service Auditor's Report
• Section 2 - Management's Assertion
• Section 3 - System Description
• Section 4 - Trust Services Criteria and Related Controls
• Section 5 - Other information provided by management

Section 1

How do you know if the organization was in compliance with SOC 2 or not? Section 1 of the report contains the independent service auditor's opinion, which outlines whether or not the organization undergoing the SOC 2 assessment was in compliance. You should be aware of two common opinion types: qualified and unqualified. A qualified opinion means the auditor found at least one SOC 2 criteria that the organization was not compliant with. This issue could be something as simple as new hires who didn't complete security awareness training or something more severe like a data store that is not encrypted at rest. A qualified opinion is not the end of the world but it should provoke more due diligence to understand what the deviation was and analyze how severely that could impact your relationship with the organization.

The other opinion type is unqualified. An unqualified opinion means the auditor found the organization to be in compliance with all of the SOC 2 criteria. Every control tested was designed appropriately (Type 1) and operated effectively (Type 2). Section 1 will also outline the scope of the examination detailing the system in review, which SOC 2 categories were in scope, and the examination period (Type 2 only).

Section 2

Section 2 of the SOC 2 report is management's assertion which is where the company undergoing the SOC 2 states that they prepared the system description (Section 3) and that the controls in that description were suitably designed as of a specific date and operating effectively throughout the examination period, if a type 2 report. This section does not contain technical details and is essentially your customers' management acknowledging that the information they provided was accurate and relevant.

Section 3

This is likely the longest section of the report but it will also include many critical details you will want to understand. Below are a few of the keys sections to look for when evaluating a SaaS vendor:

Overview of Services Provided: You'll find a brief overview of the services provided by the company undergoing the SOC 2. Pay particular attention to what is described here and ensure that this section discusses the service or application you plan to use. You shouldn't find any marketing language like "best ever" or "first in class" here, as every section of the SOC 2 report should be objective and factual information that an auditor can formally assess.

Principal service commitments and system requirements: An interesting aspect of SOC 2 is choosing which Trust Service Categories (TSCs) to include in the scope. We tell our clients to review the type of data they come in contact with and their operations to help determine which of the 5 categories to include. This section of the system description includes the vendor's commitments to their customers as they relate to the in-scope TSCs. For example, if Availability is in-scope, we expect to see commitments related to uptime levels.

Components of the system: This section should describe valuable technical details such as where the company is hosted, what cloud service provider is used, software tools used to support the services/ product, what data types are used, transferred, or retained, various company policies and procedures, etc. This sub-section should help you quickly understand the tools and technologies in place at this company.

Complementary user entity controls (CUECs): CUECs are the controls this company expects its "user entity", you, to have for its system to achieve its goals and meet its commitments. A common control to see in this section is around account deprovisioning. If you terminated an employee, it is your responsibility to either revoke that user's access or inform the SaaS company to remove their access. If the SaaS company is not told the user is terminated, they will not delete their account. It is essential to review this section to ensure you have controls in place that accomplish what this company expects you to handle.

Complementary subservice organization controls (CSOCs): Similar to CUECs section, this section is about the shared responsibilities for control performance at the SaaS Company and their third party vendors (aka Subservice organizations). This is another important section to review to make sure you know where your information could be hosted and who shares responsibility for its security.

Section 4

More times than not, people will receive a OC 2 report an immediately flip to this section because this is where you will find the list of controls, the auditor's tests, and the results to those tests. An exception or deviation is when the auditor performs a test and identifies a control activity that was not operating effectively. You will want to look for exceptions and perform additional due diligence to determine the impact this could have on the SaaS Company's service commitments to you.

Section 5

This is an optional section of the SOC 2 report, but if included, it is likely to show Management's response to the noted exceptions. This can be very valuable information in determining the impact of the exceptions and the SaaS Company's adherence to your security commitments. SOC 2 reports are long (longer than this article) and contain a myriad of information. It is the auditor's responsibilities to make sure the report is easy to understand and does not mislead the reader. Nonetheless, leverage this article as your guide to understanding and reviewing SOC 2 reports and ultimately it should help you effectively evaluate the security of critical vendors in your supply chain.