Vendor SOC 1, 2 or 3 – Understanding the Differences

Your vendors pose different types of risks to your business and organization. Make sure they comply with industry standards. Deal with a SOC-compliant vendor if you use its services for critical projects. The three main SOC reports include SOC 1, SOC 2 and SOC 3. What are the differences between these reports? The following explanation will help you understand these differences.

Differences between Vendor SOC 1, 2 and 3

  • Brief Vendor SOC Background
  • A Vendor’s SOC 1
  • A Vendor’s SOC 2
  • A Vendor’s SOC 3
  • Tips to Review Vendor SOC Reports
  • Request and Analyze SOC Reports on Your Vendors

Brief Vendor SOC Background

AICPA (American Institute of Certified Public Accountants) established the SAS 70 standard that a service vendor could show to prove it meets control objectives. This standard was replaced by the SSAE 16 in 2011. In this 16 version, the management of an organization was required to confirm having all necessary controls in place. The SSAE 16 was again replaced by SSAE 18 in 2017.

The SOC report must comply with the guidelines set in SSAE 18. It is necessary for the vendor to provide information about its subcontractors who are referred as fourth parties. The vendor must also disclose what types of controls it has over these parties.

These rules apply to service organizations that have to issue a written statement providing details of the effectiveness of controls they have over their organizations. All large organizations providing services are required to issue SOC (System and Organization Controls) report that complies with SSAE 18 standard.


A Vendor’s SOC 1

Vendors that offer services to other companies are required to provide SOC 1 reports. You should get this report from your vendor if its services and decisions can affect your financial statements. Some common services covered under this category include payroll processes, employee benefits, investment advisory, payment processing, loan services, trust departments and others.

The report does not include any statement on the upcoming performance of controls. Its main point is that the vendor provides some service that can affect the client’s financials. In such a case, the client must get this SOC report from the service provider. This report is provided by a CPA firm specializing in the auditing of business and IT process controls. The SOC 1 reports are mainly attestation reports.

A Vendor’s SOC 2

In this case, the vendor is responsible for providing services related to security, privacy, availability, confidentiality and processing integrity. It is not necessary for the SOC 2 audit to include all these trust service criteria. Only security report is mandatory, while other criteria are optional. Technology services companies like those providing cloud services must comply with SOC 2 compliance requirements.

This report is demanded a lot by the clients. Companies hiring SaaS vendors ask for this report if using the services of an IT service company for procurement, legal and security departments. The vendor confirms its internal controls will protect customer data.

A Vendor’s SOC 3

This compliance report is used mainly to assure the general public. A large IT service company may need to show it has SOC 3 certification. This report is basically a summary report and not as comprehensive as a SOC 2 report. There is no non-disclosure agreement with SOC 3. It is less technical and does not go into full detail.

Critical information is not included because it may already be included in the SOC 2 report. Vendors usually use a SOC 3 report to post on their website and assure their clients. This report is used during the initial due diligence phase. Serious prospects demand a SOC 2 report.

Tips to Review Vendor SOC Reports

Companies must conduct due diligence before using the services of a vendor. This reporting is done by an independent auditor during a SOC audit or to analyze the vendor’s internal controls. The opinion letter is the first action that should be reviewed. It can be found under the section “Independent Service Auditors Report”.

This report must cover the services the vendor is offering. CUECs (Complimentary User Entity Controls) should be reviewed next. This helps know if the control objectives have been met and everything is operating at the vendor’s end effectively. Now review the vendor’s Independent Service Auditor Tests of Controls section. Check the test results to know the performance report. These details will help you determine how the vendor’s services will affect your organization and operations.

Request and Analyze SOC Reports on Your Vendors

Request your vendor to provide a SOC report to validate it has all necessary controls in place. It helps you understand the vendor’s performance. It is a good practice and even a regulatory requirement under some standards like FFIEC IT Examination.

You can be proactive in demanding that a SOC report is provided to you before you move forward with any engagement with the vendor. This report will help you find out any operational disconnect between your expectations and what the vendor can deliver. You will avoid data loss and unauthorized access when effective controls are in place at your vendor’s organization.

Request for these reports comes under the due diligence standard, so you should not hesitate in asking for them when you need for assurance and compliance. They show knowledge of information security and cybersecurity.

Work done by a Team Of Security Experts from Cyber Security News