Search:

Checklist: How To Review Your Vendor’s System and Organization Controls (SOC) Report

Written by Angela Akerman on June 9, 2025

Alt Text for Hero:

Analyzing your organization’s vendors (or service providers) is an essential part of evaluating the risk associated with using third-party services; and one of the best and most practical ways to evaluate that risk is to review a vendor’s System and Organization Controls (SOC) report.

But after you receive a SOC report from a vendor, what happens next? How can you draw out relevant information about the services a vendor provides to your company? How should you use a SOC report to monitor your vendor and evaluate the related risk posed to your organization?

This checklist can help you adequately review a SOC 1 or SOC 2 report (the two most commonly requested of all the types of SOC reports) so that you can make the most informed decisions for your company’s vendor management.

SOC vendor checklist image

1. Evaluate the provider who performed the SOC examination.

To create necessary context around your review, it’s important to first evaluate the SOC report issuer to determine if it’s a reputable firm.

Key things to consider would be:

  • Is the report issued by an independent service auditor who is a licensed CPA/CPA firm?
  • Is the firm experienced in performing SOC reports?
  • Is the firm knowledgeable in internal controls, IT systems, technology and common cybersecurity frameworks with relevant credentials (e.g., CPA, CISA, CISSP, etc.)?
  • What professional affiliations does the firm have (e.g., Is the firm a member of its state’s board of accountancy? Is the firm a member of the Public Company Accounting Oversight Board? Is the firm enrolled in the AICPA Peer Review Program?)?

This information can often be found on the firm’s website or on other professional websites via a simple web search.

2. Determine the kind and type of SOC examination that was performed.

Because different SOC reports have different content and objectives, it’s important to know what kind and type of report you’re reviewing (e.g., SOC 1 Type 2, SOC 2 Type 2). Many reports will note this on the cover page. If the cover page doesn’t notate the kind and type of report, then a little more effort is required.

SOC 1 vs SOC 2, Type 1 vs Type 2 comparison chart image

Identifying the Kind of SOC Report You’re Reviewing

Look at the independent service auditor’s report (typically Section I or Section II):

  • If content includes control objectives and aspects relevant to internal control over financial reporting (ICFR), then this is a SOC 1 report. SOC 1 reports are focused on internal controls at a “service organization” (your vendor) that can have an impact on a “user entity’s” (your organization) financial reporting.
  • If the TSP 100 Trust Services Criteria or the DC 200 Description Criteria is referenced, then this is a SOC 2 report. SOC 2 reports have a broader audience and revolve around the security of the organization.
    • Specifically for SOC 2 reports, determine which of the Trust Services Criteria are being addressed in the report (security, availability, processing integrity, confidentiality or privacy). These should coincide with the service commitments your vendor has made to you as their customer.

Identifying the Type of SOC Report You’re Reviewing

Both SOC 1 and SOC 2 also offer a Type 1 and a Type 2 examination. To determine the report type, look to the date referenced in the service auditor’s report.

  • If the exam was completed as of a specified date (e.g., “as of March 31, 2025”), then this is a Type 1 report, which evaluates an organization’s controls as of that date. A Type 1 report only gives reasonable assurances over the system description and whether the controls were suitably designed and implemented as of that specified date.
  • If the report references a period of time (e.g., “April 1, 2024, to March 31, 2025”), then this is a Type 2 report. In a Type 2 exam, the auditor not only gives reasonable assurance over the description and the suitability of design of controls but also performs detailed testing to determine that the controls operated effectively over that entire period.

3. Identify the type of opinion the service auditor gave.

The auditor’s opinion is located in the service auditor’s report and communicates how your vendor faired in their SOC exam.

If there is no “except for” language, then this would be considered an “unmodified opinion”—the most desired result, indicating that your vendor’s system is fairly presented (SOC 1) or presented in accordance with the description criteria (SOC 2), controls were suitably designed and (for a Type 2) controls operated effectively.

If there is “except for” language or no opinion, depending on how material or pervasive the issues were, the service auditor has issued a qualified opinion, an adverse opinion or a disclaimer of opinion.

Types of opinion comparison chart image

If your vendor received an opinion other than an unmodified opinion, your objective as a reviewer should be to understand the underlying issues, evaluate how relevant they are to your organization and then determine if any concerns should be addressed with the vendor.

4. Consider the reporting dates.

Determine if the report dates are current. If it’s been over a year since the SOC report was issued, the information within may be considered stale.

If the reporting period only covers a portion of your fiscal year, you should request a “gap” or “bridge” letter.

This letter is issued by your vendor (not the service auditor who performed the SOC examination) and communicates if any material changes in the control environment or design have occurred since the SOC report was issued.

The letter should cover only a short period of time—usually no more than three months.

5. Review information provided by management.

Review the information provided by your vendor’s management to ensure it accurately reflects the services provided to you and to gain a more detailed understanding of the control objectives or controls in place so you can ensure those services are being performed effectively.

Within the SOC report, take note of the sections titled Management’s Assertion and Management’s Description of the System.

SOC information provided by management image

6. Review the Control Testing Results for any deficiencies (for Type 2 reports only).

In a Type 2 report (for a SOC 1 or SOC 2), the service auditor will provide the testing results evaluating operating effectiveness (typically Section IV of the report).

Review this section for any exceptions or deficiencies that the service auditor noted. Most reports will also provide management’s responses to the exceptions, either below the exception or in another unaudited section of the report titled “Other Information Provided by the Service Organization” (typically Section V). (Remember, the service auditor doesn’t express an opinion about the information provided in the unaudited section.)

As a reviewer of the report, it’s important to consider the service auditor’s exceptions and management’s responses and determine if you feel the responses are appropriate or if there is cause for concern for your organization.

7. Review requirements for your company’s control structure.

The Complementary User Entity Controls (CUECs) and/or User Responsibilities sections outline controls your vendor requires you to have in place and/or your responsibilities necessary in order for their system and controls to function as stated within the report.

You should review these items to determine whether they are integrated into your organization’s control structure and whether adequate steps have been taken to ensure your organization is adhering to these responsibilities.

8. Consider whether the report is “inclusive” or “carved out.”

Your vendor may use the services of other organizations (known as “subservice organizations”) to meet their control objectives (SOC 1) or their service commitments and system requirements (SOC 2).

If your vendor chooses to include testing of the subservice organization’s controls in the examination, then this would be considered an “inclusive report.” In this scenario, both your vendor and the subservice organization would be responsible for providing an assertion in the report.

SOC subservice organization definition image

A more typical approach is to not include testing of the subservice organization’s controls, which would be a “carved-out” approach. In this case, the report will include a section regarding Complementary Subservice Organization Controls (CSOCs), which address:

  • The nature of the services provided by the subservice organization
  • The complementary controls expected to be implemented at the subservice organization
  • How your vendor monitors its subservice organizations

Learn More About Reviewing Your Vendor’s SOC Reports and Other Vendor Management Tactics

Your organization may save resources by outsourcing services to third parties, but you cannot outsource responsibility to ensure they have good security measures and internal controls in place and to confirm they are complying with the commitments made to you. Remember, typically, it’s the organization that suffers the financial, operational or reputational risks—not the vendor—if a major breach or incident occurs.

If you’d like to learn more about launching or maintaining a strong vendor management program, reach out to your Warren Averett advisor directly, or ask a member of our team to reach out to you.

This article was originally published on April 4, 2024 and most recently updated on June 9, 2025.

New call-to-action

Topic Risk Management, SOC Examinations & Reports
Back to Resources

Related Insights

Top