Resources

Effective Management of SOC Reports: 3 Best Practices & Procedures

Written by: Alyssa Hunt, Emily Foltan & Emily Rockwal

Key Takeaways:

  • System and Organization Controls (SOC) reports are crucial for verifying the effectiveness of controls over financial reporting, data security, and operational processes.
  • Internal and external teams should follow best practices for managing these reports.
  • The first best practice is to obtain and thoroughly review SOC reports from third-party providers, comparing them with past reports to spot issues.
  • The second-best practice is to establish a formal, documented review process involving senior management to ensure SOC reports are properly assessed and approved.
  • The third best practice is to prioritize and resolve control exceptions or unresolved issues promptly, tracking progress to ensure resolution.

In today’s landscape of regulatory requirements and increased cybersecurity threats, organizations need to ensure their controls and processes are strong and continuously improving. System and Organization Controls (SOC) reports play a critical role in ensuring the effectiveness of controls over financial reporting, data security, and operational processes.

3 Best Practices for Managing SOC Reports

This is the first SOC article in a series where we’ll share actionable steps you can take to prepare for audits. Below, we’ve outlined three procedures and best practices for internal and external audits concerning SOC reports, including the acquisition and review of these reports, management’s formal review process, and the follow-up on Complementary User Entity Controls (CUECs).

1. Obtaining & Reviewing SOC Reports

SOC reports should be obtained if there is reliance on a third-party provider. For example, core systems, payroll, and investment systems are the typical reports addressed in an audit. There are three types of SOC reports including:

  • SOC 1 Report: Focuses on internal controls related to financial reporting. It is typically used by organizations that provide services that impact their clients’ financial statements.
  • SOC 2 Report: Evaluates controls related to data security, availability, processing integrity, confidentiality, and privacy. This report is pertinent for organizations that handle sensitive customer data.
  • SOC 3 Report: Provides a public-facing summary of the SOC 2 report, designed for general use and assurance without disclosing detailed information.

Management must determine the period the SOC report covers and how the report aligns with the organization’s needs and expectations. The uncovered period of the SOC report must be filled with a gap letter or a bridge report from the provider indicating controls have not changed from the SOC report covered period.

Furthermore, management should perform a detailed review of the report to analyze key elements such as control objectives, tests of controls, and audit opinions. The focus should be on the effectiveness of controls and any identified deficiencies. A comparison against the prior year’s SOC reports can help identify any changes or recurring issues.

2. Management’s Formal Review of SOC Reports

Management should develop a formal process to review the SOC reports. The first step in the review process is to build a team or identify the individuals who will review the reports. It is important that senior management reviews the SOC reports in detail.

The second step is a review and acknowledgment of the report. This review should be documented, highlighting management’s understanding and acceptance of the reported controls and any identified issues.

The final step in the review process is the formal approval from management, indicating that they have reviewed the SOC reports and are committed to addressing any concerns. All review processes should be documented with meeting minutes, key findings, and action items. This documentation serves as evidence of due diligence and is crucial for both internal and external audits.

3. Follow-up on Complementary User Entity Controls (CUECs)

Once the SOC reports are reviewed and any Complementary User Entity Controls (CUECs) are identified, they should be reported to the auditor. CUECs may include deficiencies or gaps in controls that need to be addressed.

CUECs should be prioritized based on their potential impact on the organization’s operations and compliance requirements. Management is encouraged to take action by developing and implementing plans to address CUECs. The responsibilities of each action item are delegated, and timelines are established for resolving the CUECs.

Lastly, management needs to track the progress and follow up on the CUECs until they are fully resolved. To ensure effectiveness, management can conduct periodic reassessments to confirm that corrective actions have been successful, and the controls are operating as intended.

The Value of Effective Management & Review of SOC Reports

Effective management and review of SOC reports are crucial for ensuring that an organization’s internal controls are strong and capable of mitigating risks. By obtaining and reviewing SOC reports, implementing a formal management review process, and following up on CUECs, organizations can enhance their control environment.

If you have questions on your organization’s SOC reporting requirements or need assistance auditing your SOC report, contact Wolf’s SOC Reporting team today.