Latest Report: The Gartner® Market Guide for IT Vendor Risk Management Solutions
System and Organization Controls (SOC) is a set of IT controls standards developed by the American Institute of Certified Public Accountants (AICPA). SOC audits are performed by certified auditors, and reports are used to demonstrate how IT controls have been implemented to secure a company’s systems and information.
SOC audits are built to assess controls in five key areas, called Trust Services Criteria:
SOC reports provide detailed assessments of an organization’s operations and systems, and their effectiveness. There are two types of SOC reports:
Type 1 reports review the design of security controls, including procedures and processes. Type 1 audits are conducted at a single point in time.
Type 2 reports review the operational effectiveness of the controls identified in Type 1 reports. Type 2 audits look at controls in depth and are conducted by auditors over a longer period of time – sometimes as long as six months.
This post focuses on SOC 2 Type 2 reports.
While SOC 2 reports can look different based on the auditor conducting the assessment, they generally include the following areas meant to identify the scope of the assessment and non-conformities, known as control exceptions.
The SOC 2 TPRM Toolkit
Get instant access to 3 essential resources, including a quick-reference eBook, an on-demand webinar on decoding SOC 2 reports, and a SOC 2 compliance checklist!
In a SOC 2 report, the Security Trust Services Criteria is always applicable, but most SOC 2 reports include just one or two additional criteria.
Companies use SOC 2 reports when they:
A typical SOC 2 report will identify risks as “test results.” A typical SOC 2 Exceptions table looks like this:
There is no grading of risks in a SOC 2 report, such as red/amber/green indicators of risk failures. This is where a third-party risk management platform can help!
Translating SOC 2 control exceptions or test results to risks can be tricky without a way to centrally track third-party risks.
We recommending applying a “likelihood and impact” methodology to assign risk scores to any identified exceptions.
Using simple 0 to 5 scale, where 0 means no likelihood or impact and 5 means high likelihood or impact, you can create a heat map to quickly score and categorize risks.
Once risks are categorized into the heat map, you can define risk ownership, assign tasks, and engage with the third party for risk treatment and remediation.*
*Remember that the third party may have already addressed findings in the SOC 2 report Management Response section.
Start by developing a playbook for remediating SOC 2 exceptions based on:
Clearly state the requirement. If you expect further evidence, then specify when you need it. Also, confirm whether you require ongoing monitoring or remediation.
Leverage existing risk registers to map these control exceptions into what you already have. This approach helps you cross-map findings for compliance reporting against other frameworks.
Managing third-party risks – regardless of whether or not they were discovered via a SOC 2 report – is impossible without a central platform that automates risk identification, assessment, triage, monitoring and remediation. That’s where Prevalent can help!
Prevalent can help simplify SOC 2 third-party risk management using solutions and professionals with SOC 2 compliance expertise. Prevalent SOC 2 Report Review Services:
For more on Prevalent’s SOC 2 Report Review Services, download the data sheet or request a demo to schedule a strategy discussion today!
Review key PDPA requirements and share best practices for simplifying the compliance process.
Prevalent offers a complete framework for policy management, auditing and reporting related to third-party risk and...
Here are best practices for aligning with proposed requirements from the U.S. Federal Reserve System, U.S...