SchellmanCON is back! Join us for our virtual conference on March 6 & 7, 2025

Contact Us
Services
Services
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Sustainability Services
Sustainability Services
AI Services
AI Services
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships

How to Effectively Leverage Your Vendors' SOC 2 Reports: Tips for Internal Audit & Risk Professionals

SOC Examinations

Internal Audit (IA) and Governance, Risk, and Compliance (GRC) professionals are often charged with reading SOC reports from service providers to gain an understanding of each vendor’s controls, but many may not know how you can also use these reports to also enhance, mature, and drive their own audit and governance functions.

If your organization is engaged in partnerships with service providers who handle your sensitive information, an understanding of how they manage and protect your organization’s data is crucial. As the security of data continues to become more and more paramount, the SOC 2 report has emerged as a key framework to assure organizations of the security measures implemented by their service providers.

But as a former internal audit professional, I can attest to the fact that your vendors’ SOC 2 reports can do even more than just confirm what your service providers are doing to secure their systems and your company’s data. In this article, I’ll explain how you too can more effectively leverage a service provider’s SOC 2 report.

What is a SOC 2 Report?

 

If you’re not already requesting SOC 2 reports from your vendors, you should be (assuming they’re not already adhering to another acceptable standard).

SOC 2 reports contain the results of a SOC 2 examination, during which an independent service auditor evaluates the design and implementation—and operating effectiveness, depending on the report type—of an organization’s system and controls relevant to meeting principal service commitments and system requirements based on what is collectively referred to as the Trust Services Criteria, of which there are five categories:

  • Security
  • Availability
  • Processing Integrity
  • Confidentiality
  • Privacy

Given they include detailed information about your vendor’s service, underlying system, and the controls and processes in place to support and protect that service and system, SOC 2 reports include a treasure trove of information about your service provider(s).

How to Read Your Vendor’s SOC 2 Report

 

Of course, your priority will be to confirm their controls are adequate, and you can do that by taking the following steps:

Section

Details

1. Review the Independent Service Auditor's Opinion

Pay attention to any qualifications noted by the auditor, as this opinion provides an initial assessment of your service provider's controls and identifies potential risks.

2. Assess the Management's Assertion

Confirm that this assertion contains the service provider’s responsibility for the design, implementation, and (if applicable) operating effectiveness of the controls and that these elements align with your organization's expectations and regulatory requirements.

3. Understand the Control Environment

Study the policies, procedures, and processes in place and identify areas of strength and weakness—this will allow your auditors to focus on critical control objectives.

4. Analyze Control Categories and Activities

  • Compare these controls to the organization's requirements and assess their relevance and effectiveness.
  • Identify any mature areas, as well as areas with gaps that need improvement.

5. Evaluate Incident Response and Monitoring

  • Assess your service provider's incident response and monitoring processes, as they are crucial for detecting and mitigating potential security incidents.
  • Evaluate the effectiveness of these processes and determine if they align with your incident response plans.

6. Report Findings

Once the evaluation is complete, compile a comprehensive report highlighting the findings and recommendations.

7. Collaborate with Stakeholders

  • As you engage in parallel discussions to gain a comprehensive understanding of your organization's expectations and requirements, communicate your findings to stakeholders, including:
    • Management;
    • IT departments; and
    • Business teams.
  • Emphasize areas of concern and suggest remediation actions for your organization—actively seek their input in evaluating the SOC 2 report and address any concerns or questions.

For more guidance on how to read a vendor’s SOC 2 report, check out our more detailed article here.

4 Areas Where You Can Use Your Vendor SOC 2 Reports to Improve Your Organization

 

Despite their containing so much valuable information, many organizations do not use these vendor SOC 2 reports to their full potential. But once you’ve read and fully understood a vendor’s SOC 2 report, you can start to use that information in your audit and risk management work—here are four specific ways you can leverage a service provider’s SOC 2 report.

1. Complementary User Entity Controls

 

If you are completing an assessment of a business function that relies on the service provider with a SOC 2 report, use the report(s) during your audit planning and testing.

Were there any complementary user entity controls (CUECs) noted? CUECs are your controls that—in combination with those of your service organization—are necessary to provide reasonable assurance that your provider can achieve its principal service commitments. If CUECs were recorded in your provider’s report, reconfirm those controls are implemented, designed, and operating effectively at your organization. If they’re lacking—or if they’re not operating effectively—you need to implement or strengthen those controls.

2. Mapping Control Frameworks

 

Next, you can map your risk and control matrices to the controls listed in the provider’s SOC 2 report to identify any potential gaps—theirs and yours.

If your service provider is a mature organization, their SOC report will have a plethora of controls you can consider implementing at your organization to help strengthen your security posture—you might also use their control environment to justify the implementation of industry “best practices” with upper management.

But at the very least, if you do find there are gaps in your vendor’s SOC 2 report compared to your organization, you should implement additional controls to mitigate any of those potential risks identified.

3. Annual Enterprise-Wide Risk Assessment and Audit Planning

 

If you use a particular service provider across several of your business functions, you should use their report during your annual enterprise-wide risk assessment and audit planning.

Because maybe you’ve got a business group or function that wouldn’t ordinarily necessitate an audit or evaluation, but it does use an application or platform that shares sensitive data with third parties. If so, the risk profile of that business function increases, and it may be beneficial to conduct an internal audit or control evaluation to assess how they are protecting the data both in and outside the application.

If your audit plan has any further slack, you can also review the specific risk assessment, mitigation, and control activities sections of your vendor’s SOC 2 report to help improve and mature your risk assessment.

4. Vendor Due Diligence

 

Finally, use your newfound knowledge and expertise in SOC reports to actively improve your vendor management process. Far too often, vendor management teams consider merely receiving a SOC 2 report enough to “check the box” in their due diligence process without really checking the contents.

I speak from experience—on more than one occasion, I found myself reviewing SOC reports that were years out of date, for a system provided by the vendor that was different than what my organization was analyzing and considering purchasing, or it disclosed critical security findings, neither of which was flagged as part of our greater due diligence process.

To ensure everyone involved is on the same and correct page—and that your organization isn’t accidentally left vulnerable—consider performing a consulting engagement with your Vendor Management or Procurement team when reviewing vendor SOC 2 reports—even a simple “lunch and learn” that serves as a networking opportunity will value add to your organization.

Your Vendor Compliance Reports Moving Forward

 

For IA or GRC professionals, these SOC 2 reports from your vendors can help you better assess the risks associated with these providers, understand their implemented controls and security measures, and provide valuable insights to management and stakeholders. But they can also do more than just that for your organization, as you’ve just learned.

By better understanding the purpose and scope of SOC 2 reports and leveraging them more effectively, auditors and GRC teams can further contribute to your organization's overall risk and vendor management efforts. While you use SOC 2 reports to stay proactive, collaborate with stakeholders, and continuously monitor and evaluate the effectiveness of your service providers, make sure to check out our other SOC 2 content that can help you in related areas:

About Adam Russell

Adam Russell is a senior IT audit associate with Schellman based in Saint Paul, Minnesota. Before joining Schellman, Adam worked as a senior internal auditor at a large credit union specializing in compliance and IT auditing. Adam led and supported various other projects, including application implementations, the enterprise-wide risk assessment, and the associate internal auditor training program. Adam also spent approximately three years with a large national CPA firm performing financial statement and federal government expenditure audits and has obtained his CPA, CISSP, CIA, CISA, and CCSK. He has almost five years of experience in serving clients in the healthcare, financial services, government, and not-for-profit industries and is now focused on SOC audits for organizations across various industries.