February 21, 2024

Last Updated on February 23, 2024

These days it’s imperative for organizations to demonstrate to customers, regulators, and other stakeholders that they can safeguard sensitive data. But even if a business has secured its own systems, what about the security risks from critical third-party vendors?

Addressing this risk—for both vendors and their customers—is the role of Systems and Organization Controls (SOC) reports. These assessments are indispensable to help businesses choose safe outsourcing partners, and for vendors to substantiate their security capabilities.

CBIZ MHM’s 2023 SOC Benchmark Study, “Benchmarking Your SOC Compliance Framework,” offers unique insights to service providers on enhancing their SOC reports for optimal success and customer satisfaction. This blog post shares 6 key takeaways from the study.

 

What is a SOC report?

There are two primary types of SOC reports, both of which require an independent audit by a CPA firm that specializes in auditing cybersecurity and business process controls:

  • SOC 1 reports focus on financial controls.
  • SOC 2 reports focus more broadly on one or more of the five TSC areas and is overwhelmingly the more popular of the two types.

A SOC 2 report is an increasingly popular way to validate that a service provider or other third party follows best practices around one or more of five Trust Service Criteria (TSC):

  • Security—Ensure data and systems are protected from unauthorized access, disclosure, and damage.
  • Availability—Ensure that data and systems are available and accessible.
  • Processing integrity—Ensure that data processing is valid, accurate, complete, timely, and approved.
  • Confidentiality—Ensure that data defined as confidential or sensitive is protected (e.g., intellectual property, proprietary data, personal data).
  • Privacy—Ensure that personally identifiable information (PII) is protected.

Within SOC 2 reports there are two further types:

  • SOC 2 Type 1 reports provide an opinion on the suitability and design of an organizations’ controls—but not their operation.
  • SOC 2 Type 2 reports, which are more commonly used than SOC 2 Type 1, cover control design and operation over a period of time (three months to one year).

As detailed attestations under the auspices of the American Institutes of Certified Public Accountants (AICPA), SOC reports are extremely valuable to service providers because they streamline customer due diligence. Instead of fielding numerous questionnaires, audits, etc., a business can just share its SOC report.

Many of the largest service providers, such as Amazon Web Services and Microsoft Azure, provide SOC reports to customers seeking to reduce third-party risk and validate their own security to regulators and other stakeholders.

 

What is the 2023 SOC Benchmark Study?

For business leaders seeking to maximize the value from their SOC reporting program, the 2023 SOC Benchmark Study offers a comprehensive analysis based on over 150 SOC 1 and SOC 2 reports across businesses of all sizes in diverse industries.

The report highlights common problems with both controls and reporting practices. It illustrates that “all SOC reports are not created equal,” and identifies best practices to ensure accuracy, efficiency, and clarity in your own SOC reports.

 

Takeaway #1: Security and Availability are the most popular TSCs.

Service providers need to choose which of the five TSCs will be in scope for their SOC 2 report. In the study, 100% of organizations surveyed included the Security category.

But only about 15% of the SOC 2 reports covered just Security. The next most common categories were:

  • Availability, which was included in 71% of reports
  • Confidentiality, which was included in 34% of reports
  • Processing integrity, which was included in 16% of reports

Despite its importance in the market, only 5% of the reports included Privacy. This is largely because the number of criteria an organization must meet for Privacy guidelines almost doubles the scope of most SOC 2 reports.

The most common combination of TSCs in the study by far was Security plus Availability. This makes sense given how many of today’s cyber threats, especially ransomware, impact the availability of data.

 

Takeaway #2: Control counts vary widely.

The SOC 2 framework is highly prescriptive, so logically most firms receiving SOC 2 reports should have similar control counts. But SOC 2 control counts can still vary depending on the number of TSCs selected.

Even within the Security category, which was included in 100% of reports, there can be significant variability. In the study, control counts for Security ranged from 30 to 209, with an average of 86. A typical “sweet spot” based on experience is around 55 to 60 for Security and 5 or 6 for Availability.

Factors that could account for this wide variability in control counts across SOC 2 reports include:

  • Variations in the complexity of IT environments
  • “Overkill” or doing more than is necessary in pursuit of achieving compliance with the criteria

Implementing too many controls could overextend your staff and increase your audit focused efforts. In addition, the cost of your SOC 2 report would likely go up because the number of controls is a top cost driver. Extra controls could also increase the chance of exceptions.

 

Takeaway #3: Most service providers “carve out” subservice providers.

In the SOC 2 context, a subservice provider is an organization that handles some part of the control environment on behalf of the report recipient. 82% of report recipients in the study used subservice providers, and 95% of these leveraged the carve-out approach to exclude the controls performed by subservice providers from their report.

“Carving out” subservice providers is the overwhelming choice because including them requires them to participate in the audit. For large cloud subservice providers like AWS this would be untenable.

But while the SOC 2 auditor does not validate a subservice provider’s controls under the SOC 2 carve-out method, the SOC 2 report recipient must still take steps to validate that the subservice provider is effectively operating the control(s) in question. This is central to vendor risk management within the SOC 2 framework.

 

Takeaway #4: Internal audits are underutilized.

Surprisingly, only 8% of service providers in the study disclosed that they performed an internal audit prior to their external SOC audit.

For organizations that have a robust internal audit function, this is a missed opportunity given the proven value of internal audits to reduce audit costs and improve results.

A lack of internal audit support for SOC 2 reports also contrasts with ISO 27001, where internal audits are a compliance requirement.

 

Takeaway #5: Control exceptions are commonplace.

51% of SOC 2 reports in the study had control exceptions. The average number of exceptions was 2.7, with some reports having as many as 11 exceptions.

While a few exceptions are perhaps to be expected and may not detract unduly from a positive SOC 2 report, a large number of exceptions is potentially cause for concern among customers. Likewise, reports with no exceptions may raise the question of whether the audit was rigorous enough.

Another benefit of exceptions is they provide “opportunities for improvement” to raise the quality and performance of your control environment.

Service providers that have exceptions in their SOC 2 reports should take advantage of the option to provide explanations and responses to exceptions in Section 5, “Organization information not covered by service auditor’s report.” This is a great way to alleviate potential concerns, proactively address client questions, and reduce the amount of follow-up that client due diligence might otherwise require.

Takeaway #6: Qualified opinions are rare.

An unqualified opinion indicates that the SOC auditor found the service provider’s controls to be well designed and effectively operated over the audit period, and that the system description was adequate.

Only 8% of the reports in the study had a qualified opinion. This indicates that the auditor found control objectives and/or trust service criteria that were not sufficiently achieved, based on the noted exceptions.

A qualified opinion warrants extra due diligence scrutiny among service consumers.

 

For more information

 

What’s next?

For more guidance on this topic, listen to Episode 132 of The Virtual CISO Podcast with guest Scott Woznicki, National SOC Practice Leader at CBIZ MHM.