Eight Things to Look for in a SOC2 report
- Products and Services – Does the report address the products and services you’ve contracted for?
- Criteria – Which of the 5 Trust Services Criteria (privacy, security, confidentiality, availability and data integrity) are included in the report?
- Sub-service Providers – Does the report cover the subcontractors (sub-service providers) of the vendor?
- Type I or Type II – Does the report address the effectiveness of the controls (Type II), or only the suitability of controls (Type I)?
- Exceptions – Is the report “clean”? Does it contain any material exceptions?
- Auditor’s Opinion – Are there any qualified opinions?
- Management’s Assertions – Are subservice organizations tested?
- CUEC (Complementary User Entity Controls) – Where is the CUEC description in SOC2 report? What CUEC outline to you the roles, responsibilities and obligations that you have in ensuring the stated control objectives are effective for your organization? Can the CUEC be mapped back to your own policies and procedures to ensure that you have controls in place that properly align with your vendor’s expectations.