Hi,
Qualified SOC opinions should cause you to pause and examine the report and vendor control environment closely. Involve your IT representative to understand any IT gaps, and closely evaluate the CUECs, to ensure you have the complementary user controls needed. You may need to add internal controls on your side of the relationship (more work for your company), to ensure you have the proper detective or preventative controls in place, given that there are areas of the vendor's control environment you can't rely on.
The SOC report also has a "management response" section, where management responds to the exceptions and remediations being taken. It is very appropriate for you to a) make sure the vendor owner is aware of the gaps and internal controls (extra work) required to ensure the services can be used as expected, and b) ask the vendor for follow up discussions regarding remediations and reporting to you on how they are going (possibly quarterly, depending on how severe they are), and c) additional contractual wording and protections (work with an attorney for those).
There are some surprising qualified SOC reports out there! Good luck!
Original Message:
Sent: 09-12-2024 10:29 AM
From: Anonymous Member
Subject: Qualified SOC 2 Report
This message was posted by a user wishing to remain anonymous
We had a Qualified SOC 2 report on a well-known company.
Does anyone follow up on the report for the issues?
Has it led to larger concerns about the company as a whole?