Potential Client: “Ferry, my supplier has a SOC report. And I don't see any finding there. Can I say that everything is fine, everything is secure? The report was prepared by one of the Big4s.“
Me: “Not yet. The report is not everything. We need to do more than just relying on a SOC report. For me it’s just one of multiple inputs that I would use to perform a due diligence.“
Potential Client: “Why? What's wrong with the report?“
Me: “Nothing wrong with it. It's just the nature of the SOC report itself that I need to do more if I want to do a proper due diligence. Let me explain:
Although SOC audit was performed based on a well known and standardised criteria, Trust Services Principles, it is limited to the scope of organisational and service that the company would define in their engagement with the auditing firm. It is also limited to the controls designed and implemented by the company within the boundaries of that scope. This mean, SOC report may not necessarily cover the full universe of your risk appetite. Always check the scope of such SOC report against your organisation’s risk appetite and decided whether the SOC report can give you that level of comfort or not.
Depending on the agreed engagement, the SOC audit may cover the controls for all 12 months financial year (most common) or shorter period of time. And, if your organisation is performing a risk assessment outside that assurance period, then you would rely on past period. Which means that there’s no guarantee that the controls are still operating effectively during your SOC report review period.
Quality of audit execution
Like it or not, most of audit activities are dependent on the human-being doing the work. This also means that the quality may differ for each SOC report despite it might be published by the same auditing firm for multiple years. And again, depending on the engagement scope, some SOC reports are published only covering control design and implementation without assuring the operating effectiveness.
Me: “So, just looking to these 3 points, which can be applied to any kind of assurance reports out there, including the fancy ISO27001 certificate, we shouldn’t rely only on SOC report to manage our third party risks. Use SOC report only as one of the inputs to perform due diligence. Having said that, if your supplier only have that SOC report, and nothing else, it’s still a good starting point to start and continuously improve the monitoring activities from there.“
There’s no such thing as crossing a finish line in managing third party risks. But we can say “good enough“ against our risk appetite, and what we can do together is just keep improving ourselves along the way.
If you are looking for a new partner to manage your third party risks, especially your information and technology suppliers, let’s have a chat and see how we can support you with it.