Due Diligence and Ongoing Monitoring

Expand all | Collapse all

Reviewing 3rd Party Attestation reports

  • 1.  Reviewing 3rd Party Attestation reports

    This message was posted by a user wishing to remain anonymous
    Posted 06-02-2021 05:24 PM
    This message was posted by a user wishing to remain anonymous

    Looking for some assistance on how to review our 3rd party's reports, SOC reports for example.
    Is there a checklist or similar that can be used to ensure that what is covered in the SOC report is adequate?

    Appreciate any insights.

  • 2.  RE: Reviewing 3rd Party Attestation reports

    Posted 06-02-2021 05:52 PM
    Generally I'm reviewing the exceptions that the auditor called out in addition to the critical third parties utilized by the vendor. The outlined exceptions usually have a "management response" (what is being done to address the finding). I will often request an update on the management response or updated control.

    Hope that helps,


    Garrett Grossman

  • 3.  RE: Reviewing 3rd Party Attestation reports

    Posted 06-03-2021 09:20 AM
    ​In addition to what was previously mentioned, we use the following checklist:

    Review Area

    Where Addressed

    Backup and Recovery



    Disaster Recovery Planning



    Physical Security



    Logical Security



    Policies and Procedures



    Change Management



    I also use the SOC to verify policies and procedures as I have found that certain vendors won't release copies of some policies (3rd party/vendor management etc) however, you can verify that they have them and get some pretty good details around allot of a vendor's policies from the SOC.  Similarly, have multiple vendors that don't release BCP or similar testing or specifics on their plan however you can usually verify that they have a plan and are completing associated testing from the SOC.  You can't usually tell the results of the testing but at least you can verify it was completed.


  • 4.  RE: Reviewing 3rd Party Attestation reports

    Posted 06-03-2021 09:22 AM

    I actually created a checklist [which the auditors seem to like mainly because it creates consistency] mostly because there isn't one 'gold standard' that I ever found.


    The main thing for that, though, is to ask a few questions:

                    What is the main purpose of the review?   [Mine is data security mostly]

                    What are the most important things in a SOC report that you want to see covered?

                                    One technique I used in the beginning was to use a 'strong' SOC as a model.  [By strong, I mean from a company that you just feel is doing things right.]


    Some categories I found useful:

                    Qualified or Unqualified report

                    New Hire Background checks

                    Staff Confidentiality/Code of Ethics


                    Malware protection

                    Physical Security

                    Environmental Security

                    Disaster testing

                    Penetration Testing




    These are just top-of-mind categories that I find good to tag/make note of in a SOC report review.  Your mileage may vary.





    David Howe

    Chief Information Officer