With an ever-evolving digital landscape, and financial institutions increasingly outsourcing services and technology, it’s more important than ever to evaluate the controls established for protecting member/customer data. Understanding the controls at the service organization will not only mitigate potential risks, but also display trust and transparency amongst stakeholders. An effective due diligence review of a service organization would include a review of system organization controls (SOC) reports allowing institutions to:

• Identify weaknesses in vendor controls.
• Develop internal compensating controls to address gaps.
• Strengthen resilience against operational and regulatory risks.

What is a SOC Report?

Governed by the American Institute of Certified Public Accountants (AICPA), SOC reports offer assurance that the controls service organizations put in place to protect their clients’ assets (data in most cases) are effective. There are four main types of SOC reports.

SOC 1: Focuses on outsourced services performed by service organizations relevant to a company’s (user entity) financial reporting.

SOC 2: Addresses operational risks of outsourcing to third parties outside financial reporting. These reports are based on the Trust Services Criteria which include up to five categories:

• Security
• Availability
• Processing integrity
• Confidentiality
• Privacy

SOC 3: Not as comprehensive as a SOC 2. It excludes certain details of the description and all the detailed controls/results of testing. The SOC 3 is a general use report, primarily used for marketing purposes.

SOC for Cybersecurity: A CPA reports on an organization’s enterprise-wide cybersecurity risk management program.

Vendors may produce multiple types of SOC reports or carve out responsibilities for subservice organizations. Financial institutions should review all relevant reports, including those of subservice providers, to understand the complete risk landscape.

What Should You Look For?

SOC reports provide an independent auditor’s opinion on a service organization’s controls. Here are the critical elements to assess:

1. Audit Opinion: An unmodified opinion indicates controls are suitably designed and implemented. If the opinion is modified, evaluate its impact on the institution’s data and systems. Modifications can refer to poor design of controls, controls being unfairly stated or controls not operating during a period.
2. Exceptions and Non-Compliance: Review noted exceptions and determine their potential effect on the institution’s operations. Since these are controls entrusted to a service provider, they may affect your risk or mitigation strategy.
3. Complementary User Entity Controls (CUECs): Ensure your institution has implemented the necessary controls to support the vendor’s system. Neglecting these increases the risk of ineffective overall control.

For example, an institution failing to implement user authentication controls — a common CUEC — could expose itself to unnecessary vulnerabilities despite the vendor’s robust internal controls.

Practical Application

Regulatory scrutiny of third-party vendor management is intensifying. For instance, in the last few years, over 40% of data breaches involved third-party vendors. Regulators now expect institutions to demonstrate thorough initial due diligence and ongoing monitoring. SOC report reviews play a vital role in meeting these expectations and preventing breaches.

Consider the following scenario: A financial institution’s SOC 2 review revealed inadequate vendor controls around data encryption. Acting proactively, the institution implemented compensating controls and mitigated the risk of a data breach, saving potential fines and reputational damage.

Similarly, a fintech partnership could involve multiple layers of vendors and subvendors. By reviewing all applicable SOC reports, the institution can map risks comprehensively, ensuring robust risk management across the ecosystem.

Here to Help

Reviewing SOC reports can be intimating and complex, but you don’t need to navigate them alone. Our IT advisory pros are here to help. Contact us today if you have any questions related to a better implementation of your review.