How to Maximize your SOC Report

Every SOC report follows the same basics – the attestation is completed, demonstrating a company’s adherence to established controls, and the report is then provided to customers and prospects (under NDA, of course).  Now that everyone is assured that their data is secure in the hands of the organization, what’s next?  Rinse and repeat every year?  Hardly.

As simple as the basic process sounds, there are other ways to gain additional value with a SOC report while doing what is required of your organization (perhaps contractually).  In order to maximize your report year over year, use the SHARPE method:

  • Showcase Your Unique Tools and Applications
    If you’re utilizing the latest in technology, why not demonstrate the use of your best-in-class tools?  Whether monitoring for threats, analyzing logs, or patching vulnerabilities, the SOC report is the perfect place to demonstrate your control posture.

  • Highlight Your Controls
    That includes those beyond the scope of review, because while the Testing Matrices section of your report includes the control activities necessary to meet the established control objectives (SOC 1) or trust services criteria (SOC 2), options exist to demonstrate additional controls in place.  Within the audited section of the report (Section 3), the system description can be utilized to elaborate upon the functioning of key controls or processes (i.e. how the controls function in detail).  Within the unaudited section of the report (Section 5), additional information could be documented regarding other items of relevance to the report recipient (i.e. compliance with privacy laws or regulations such as GDPR, CCPA, etc.).

  • Accentuate Process Flows
    Add some color to your report by including process flow graphs or diagrams to further elaborate on unique processes or controls.  For example, data flows are oftentimes best demonstrated via diagrams.  Additional considerations should be given to data classification levels or components of the risk assessment and treatment methodology.

  • Record Changes in Controls
    Your business is continuously changing, but are your controls keeping up with the pace?  Changes to existing controls should be communicated in advance of fieldwork to ensure they are properly included, and the report contents should expand upon these changes to demonstrate enhancements in the entity’s controls.

  • Protect the Report Contents
    Worried about the report falling into the wrong hands?  A password of your choice can be added to open the document.  If that is deemed excessive, the organization’s requirements for accessing the report content can be applied as part of a clickwrap version requiring acknowledgment of the terms.

  • Explain Deviations From the Norm
    Were there exceptions or deviations identified as part of the assessment?  While optional, you may provide a management response within Section 5 of the report to reduce the number of potential inquiries.  Consideration should be given to documenting what caused the deviation, how the issue was corrected, the details of mitigating controls, and how the entity plans on remediating the issue to prevent recurrence.

SOC reports don’t have to be “just routine.”  By applying the SHARPE method, you can ensure your report is providing the most value by effectively communicating the entity’s commitment to safeguarding customer data and protecting critical company assets.

About the Author

Robert Tylka

Robert Tylka is a Director at Schellman & Company. With over 16 years of experience in providing IT attestation and compliance services, Robert currently co-leads the Midwest practice at Schellman where he specializes in SOC 1, SOC 2, ISO 27001, and HIPAA reporting. In his portfolio he also oversees engagements that include FedRAMP, HITRUST, PCI, and various Privacy reviews. To date, Robert has provided services to clients in the financial services, information technology, governmental, human resources, insurance, and manufacturing industries, among others. Robert has also provided professional services to companies of all sizes during his career, including Fortune 1000 and publicly traded companies, with a strong focus in the technology sector.

More Content by Robert Tylka
Previous Flipbook
SOC for Supply Chain - Eliminating the Blind Spot
SOC for Supply Chain - Eliminating the Blind Spot

Eliminating the blind spot within vendor and supply chain risk management

Next Video
SOC for Supply Chain
SOC for Supply Chain