How do you read a SOC 2 report for quality? And what can you do if it's bad?

𝗥𝗘𝗔𝗗𝗜𝗡𝗚 𝗔 𝗦𝗢𝗖 𝟮 𝗥𝗘𝗣𝗢𝗥𝗧 𝟭. 𝗔𝘂𝗱𝗶𝘁 𝗢𝗽𝗶𝗻𝗶𝗼𝗻 (𝘀𝗲𝗰𝘁𝗶𝗼𝗻 𝟮 𝗼𝗳 𝘁𝗵𝗲 𝗿𝗲𝗽𝗼𝗿𝘁). Quality Signals: → Good: Unqualified Opinion → Bad: A "qualified" opinion means there were problems. 𝟮. 𝗦𝘆𝘀𝘁𝗲𝗺 𝗗𝗲𝘀𝗰𝗿𝗶𝗽𝘁𝗶𝗼𝗻 (𝘀𝗲𝗰𝘁𝗶𝗼𝗻 𝟯 𝗼𝗳 𝘁𝗵𝗲 𝗿𝗲𝗽𝗼𝗿𝘁) Quality Signals: → Good: Provide a lot of detail about the company, product, and security program in a narrative format. →Bad: If it reads like template language that is a red flag. 𝟯. 𝗖𝗼𝗻𝘁𝗿𝗼𝗹𝘀 𝗮𝗻𝗱 𝗧𝗲𝘀𝘁𝗶𝗻𝗴 (𝘀𝗲𝗰𝘁𝗶𝗼𝗻 𝟰 𝗼𝗳 𝘁𝗵𝗲 𝗿𝗲𝗽𝗼𝗿𝘁) Quality Signals: → Good: Look for thorough controls and testing. → Bad: Inquiry only or poorly written test procedures. Missing controls that you would expect to see. 𝟰. 𝗥𝗲𝗽𝗼𝗿𝘁 𝗦𝗰𝗼𝗽𝗲 𝗮𝗻𝗱 𝗔𝘂𝗱𝗶𝘁 𝗣𝗲𝗿𝗶𝗼𝗱 Quality Signals: → Good: Scope matches the system you care about. The audit period is the most recent 12 months. → Bad: Scope is irrelevant to you. Weird audit periods like multiple 1 month or 3 month audit periods. 𝗩𝗘𝗧𝗧𝗜𝗡𝗚 𝗧𝗛𝗘 𝗔𝗨𝗗𝗜𝗧𝗢𝗥 𝟭. 𝗩𝗮𝗹𝗶𝗱𝗮𝘁𝗲 𝘁𝗵𝗲 𝗖𝗣𝗔 𝗳𝗶𝗿𝗺 Quality Signals: → Good: CPA Firm is licensed and peer reviewed. Has a dedicated SOC 2 practice. → Bad: Not licensed, no peer review, or failed peer review. Does not have a dedicated SOC 2 practice. 𝟮. 𝗜𝗻𝗱𝗲𝗽𝗲𝗻𝗱𝗲𝗻𝗰𝗲 𝗖𝗵𝗲𝗰𝗸 Quality Signals: → Good: CPA firm has no financial ties to the entity they are auditing → Bad: CPA firm shares investors, CPA firm is too closely tied to GRC platform partner, Client represents too much of the CPA firm's total revenue 𝗪𝗛𝗔𝗧 𝗖𝗔𝗡 𝗬𝗢𝗨 𝗗𝗢 𝗔𝗕𝗢𝗨𝗧 𝗜𝗧? Okay, if you find issues what can you do about it? I get that TPRM teams do not want to be the bad guy holding up important projects. Here are a couple of options: 𝟭. 𝗕𝗲 𝗖𝗹𝗲𝗮𝗿 𝗔𝗯𝗼𝘂𝘁 𝘁𝗵𝗲 𝗜𝘀𝘀𝘂𝗲𝘀 The most important thing you can do is make the business leader aware of the issues you are seeing with the vendor and why they are a concern for you. Ultimately, your job is to raise risks, their job is to make the decision. 𝟮. 𝗔𝘀𝗸 𝗳𝗼𝗿 𝗠𝗼𝗿𝗲 𝗔𝘀𝘀𝘂𝗿𝗮𝗻𝗰𝗲 If the SOC 2 report isn't giving you what you need then you are within your right to ask for more assurance. That could look like: → Questionnaires → Signed security commitments from the vendor's leadership → Interview the CISO, Spot check artifacts you are worried about → Other certifications (if available) 𝟯. 𝗖𝗼𝗻𝘁𝗿𝗮𝗰𝘁 𝗮𝗻𝗱 𝗜𝗻𝘀𝘂𝗿𝗮𝗻𝗰𝗲 You could also work with your legal team to consider contractual protections: → More Cyber Insurance → Representations and Warranties about the security program → Mandatory Disclosures → Pricing Concessions 𝟰. 𝗥𝗲𝗰𝗼𝗺𝗺𝗲𝗻𝗱 𝗔𝗹𝘁𝗲𝗿𝗻𝗮𝘁𝗶𝘃𝗲𝘀 This is not always feasible, but sometimes looking at a few vendors side-by-side is helpful.