By Toby DeRoche CIA, CCSA, CRMA, CFE, CISA, cAAP 

‍

System and organization controls (SOC) report controls used to be the easy controls to test as part of your SOX program. 

‍

You’d get the SOC 1 report, ensure that the identified control owner reviewed the report’s relevant controls, and document your testing procedures. 

‍

It’s not that easy anymore. 

‍

External auditors have been placing heightened focus on SOC 1 reporting. Many SOX teams have been scrambling to respond, facing questions they’ve never been asked before. 

‍

Based on my experience and what I've heard from other audit and SOX practitioners, SOC 1 reports were the year-end SOX challenge many teams didn’t see coming. Most SOX teams expected to request current SOC reports from vendors (just the current ones), scan for control deficiencies (not find any), and quickly map the complementary user entity controls (CUECs). This year was different. Our external auditors expected us to go MUCH deeper. 

We needed to show full-year coverage with multiple reports, not just bridge letters. We had to formally evaluate CUECs. Lastly, we were expected to request additional SOC 1 reports from our vendors’ vendors to cover complementary subservice organization controls (CSOCs). For many of us, this did not go well.

The main obstacle is time. It takes more time to analyze SOC 1 reports to this level, document and map the complementary controls, and gather additional reports for coverage. Plus, it’s difficult to anticipate issues that need attention from the CFO or board (e.g., vendors can’t meet expanded expectations). 

If your external auditor hasn’t already increased their expectations around SOC 1 reporting, it’s probably only a matter of time. Don’t get caught without time to plan and execute. Raise awareness with your CFO and team, have proactive conversations with your external auditor about expectations for the coming year, and take action to avoid or reduce some of the likely challenges. While you probably can’t solve all of these problems, you can take action now to avoid the mad scramble many teams went through. 

‍Before diving into the pain points, if you need a refresher on SOC 1 report terminology and key considerations (e.g., timing, risks), check out the FAQ at the end of the article. 

3 New SOC Pain Points and How to Solve for Them

1. What If the SOC Report and Bridge Letter Don’t Provide Full-Year Coverage? 

In the past, SOX teams have generally requested one SOC report for each vendor and then obtained a bridge letter to cover the rest of the year. Now, external auditors expect SOX teams to show full-year coverage with multiple reports. Unfortunately, in many cases, the timing of vendors’ SOC 1 reports’ release dates and coverage period and the bridge letters’ release dates mean our organizations’ fiscal years aren’t fully covered.  

In addition, external auditors cannot rely solely on bridge letters for coverage for significant spans of time. They need actual control testing to back up the claims made in bridge letters that can only come from a second SOC 1 report for the year — something many vendors can’t afford, in either manpower or budget. Ultimately, if the vendor cannot produce full-year coverage, your team may need to add additional procedures to prove applications work as intended. 

A CAE posting on the Internal Audit Collective shared his team’s experience. The organization’s external auditor didn’t allow partial reliance, saying their methodology requires a full-coverage SOC 1 report within a reasonable time for year-end procedures. As a result, his team had to implement compensating business process controls — further complicated by exhaustive external auditor testing to mitigate insufficient coverage of ITGCs during the fiscal period and support controls’ operating effectiveness. 

What to Do Now

• Engage external auditors early. Don’t wait until the annual audit to discover problems. Have conversations with external auditors now to align expectations and avoid last-minute surprises.
• Consider more frequent SOC report testing. For example, if you typically perform all testing at year end, consider biannual testing to gain a clearer picture of potential timing and coverage issues.
• Consider asking vendors for accommodations. Can they change or extend their SOC reports’ coverage periods or produce two SOC reports annually? While not all vendors will be able to accommodate, some CAEs have had success with this strategy. Another CAE posting on the Internal Audit Collective reported that they negotiated with (and paid for) their vendor to perform another round of testing to issue a second SOC report.
• Implement ongoing vendor monitoring. Treat vendor assessments as a continuous process, not a one-time checklist. Set up periodic reviews and monitoring programs to track compliance over time. This was my biggest mistake. I tried to do all the work in November and December — as we always had — but there wasn’t enough time.

2. How Do You Know the Data You Provided to Your Vendor is Complete and Accurate?

The SOC 1 report provides an attestation that the vendor’s controls are working properly. However, the vendor can’t provide absolute assurance that transactions are correct without user organizations maintaining their own controls — CUECs — that prove the information being provided was complete and accurate.

External auditors are scrutinizing whether organizations have properly implemented the CUECs listed in SOC 1 reports. This means SOX teams need to extract CUECs from SOC reports and either map them to the organizations’ controls or explain why they are not required. Generally, organizations do have these controls, so this isn’t a question of coverage. The challenge is formal control mapping for all SOC 1 reports, which can be time-intensive, especially in large organizations with many vendors. However, if SOX teams can’t prove that their organizations have the right controls in place, they could face control deficiencies or material weaknesses.

What to Do Now

• Go beyond surface-level SOC 1 review. Read SOC reports carefully, identify CUECs, and assess whether your organization has the right internal controls to support them. 
• Strengthen collaboration between Internal Audit and IT to cover control gaps. Ensure that IT, Risk, and Compliance teams work together to validate SOC 1 findings and adjust internal controls as needed. To cover gaps, your organization may need to implement new controls over vendor reliance, financial transaction integrity, and IT security.

3. How Do You Know Your Vendor’s Vendors Have Appropriate Controls in Place? 

CSOCs are the controls vendors expect their own third-party vendors to have in place. This is where external auditors’ new expectations for SOX teams get increasingly tricky. Many SOX teams have focused only on their direct vendors, but auditors have been asking us to dig deeper into our vendors’ vendors, raising tougher questions about whether we’re meeting CSOC expectations. Failing to consider CSOCs could leave organizations with blind spots in their SOX compliance efforts, potentially leading to audit findings no one wants to deal with. After all, if our vendors’ controls rely on their third parties’ controls but CSOCs aren’t operating effectively, our vendors’ controls are compromised. 

In the past, verifying CSOCs was considered vendors’ responsibility. However, our organizations’ third- and Nth-party risks multiply with each link added to our vendor chains, so we should try to understand our entire vendor chains as much as we can. In practice, it’s an astoundingly tall order. 

When external auditors ask SOX teams to request additional SOC 1 reports from vendors’ vendors to cover CSOCs, smooth sailing is not assured. First, you’ll have to read through vendors’ SOC 1 reports very carefully to understand if their controls also relied on third parties’ controls. Second, you have no relationship with these fourth-party vendors and no right to their confidential reports. 

What to Do Now

• Identify and assess subservice providers’ controls when possible. Identify all subservice providers listed in vendors’ SOC 1 reports, requesting their SOC 1 reports when possible. Assess whether critical vendor controls depend on fourth-party CSOCs. Adjust internal controls to fill any gaps and mitigate potential risks.
• Improve vendor risk management. Establish a structured risk assessment framework that includes third- and fourth-party providers. 

Time to Rethink Your SOC 1 Approach

With regulators and external auditors putting more focus on third-party and even fourth-party risks, the old way of reviewing SOC 1 reports isn’t going to cut it. SOX teams must take a more hands-on approach to understanding and validating vendor controls, including a solid vendor risk assessment process that addresses fourth-party risks. If we don’t adapt, we risk audit deficiencies, increased compliance costs, and potential disruptions to our SOX programs. By strengthening our SOC 1 review processes, improving vendor risk management, and keeping an open dialogue with external auditors, we can stay ahead of the curve and keep compliance efforts on track.

Don’t wait. The best time to rethink your SOC 1 approach is now. 

‍

SOC 1 reports are just one of many areas we struggle with in SOX compliance. I believe the key to a stronger SOX program is bringing the business process teams deeper into the IT controls. We need to break down the silos in SOX. My SOX Synergy course provides additional structure and detail to help financial auditors and SOX teams with real-world scenarios and best practices for bridging the IT-business audit gap. Sign up for SOX Synergy today. 

‍

SOC 1 Reporting FAQ

What Is a SOC 1 Report?

As most SOX program leaders know, a SOC 1 report is a third-party audit report that evaluates a vendor’s internal controls that are relevant to user organizations’ financial reporting controls and IT general controls (ITGCs). To create the report, the third-party audit firm conducts comprehensive testing of controls’ design and operating effectiveness for the audit period. 

What Is the Typical Timing for SOC 1 Reports? 

SOC 1 reports cover the specific time periods requested by the vendor — often the vendor’s fiscal year. However, the SOC 1 report is typically issued a few months after the coverage period ends. For example, a report covering 1/1/2024 to 12/31/2025 wouldn’t be issued until March or April of 2025. 

What Are Bridge Letters?

Bridge letters are attestations made by the vendor’s management that “bridge” the gap between its SOC 1 report’s end date and the user organization’s fiscal year-end. They summarize any material changes or control issues identified beyond the most recent SOC 1 report’s end date (including how they’re being handled) and provide assurance that controls remain effective. 

What Are Common Uses for SOC 1 Reports?

When vendors process organizations’ financial transactions or move or store their critical financial data, user organizations need to ensure that the vendors aren’t introducing risk into their organizations. Such vendors often use SOC 1 reports to demonstrate that their controls are effective in safeguarding user organizations’ financial data; in turn, user organizations rely on the SOC 1 reports for assurance of controls effectiveness. SOC 1 reports have long been important for SOX compliance because they help us verify whether outsourced financial processes are handled securely. 

What Is a CUEC?

Complementary user entity controls (CUECs) are the controls our vendors expect us to implement for a strong control environment. SOC 1 reports list the CUECs the vendor expects user organizations to have in place. Often, these are common controls organizations already have. For example, say your organization uses a payroll service provider with a SOC 1 report describing strong controls over payroll processing. The vendor may assume your organization verifies employee pay rate changes before submission — because if you don’t, their controls are ineffective. That means your organization’s SOX controls could fail even if your vendor’s SOC 1 report looks solid.

What Is a CSOC?

As if CUECs weren’t enough to worry about, SOX teams also need to understand complementary subservice organization controls (CSOCs), also known as fourth-party controls. CSOCs are the controls that our third-party vendors expect their third-party providers to have in place. For instance, if your ERP provider uses a cloud hosting company, their SOC 1 report may reference controls that rely on that hosting provider. If those fourth-party controls aren’t validated (or if the fourth party’s SOC 1 report identifies an issue), your organization may be exposed to unknown risks.