Due Diligence and Ongoing Monitoring

 View Only
  • 1.  Qualified SOC 2 Report

    This message was posted by a user wishing to remain anonymous
    Posted 24 days ago
    This message was posted by a user wishing to remain anonymous

    We had a Qualified SOC 2 report on a well-known company. 

    Does anyone follow up on the report for the issues?

    Has it led to larger concerns about the company as a whole?



  • 2.  RE: Qualified SOC 2 Report

    Posted 24 days ago

    If I find anything concerning or need further explanation, I attach the SOC report and send it to whoever the contact is for the vendor and ask for more details. I take their response and attach it to the review before marking it acceptable. 




  • 3.  RE: Qualified SOC 2 Report

    Posted 23 days ago

    Hi,

    Qualified SOC opinions should cause you to pause and examine the report and vendor control environment closely.  Involve your IT representative to understand any IT gaps, and closely evaluate the CUECs, to ensure you have the complementary user controls needed.  You may need to add internal controls on your side of the relationship (more work for your company), to ensure you have the proper detective or preventative controls in place, given that there are areas of the vendor's control environment you can't rely on.  

    The SOC report also has a "management response" section, where management responds to the exceptions and remediations being taken.  It is very appropriate for you to a) make sure the vendor owner is aware of the gaps and internal controls (extra work) required to ensure the services can be used as expected, and b) ask the vendor for follow up discussions regarding remediations and reporting to you on how they are going (possibly quarterly, depending on how severe they are), and c) additional contractual wording and protections (work with an attorney for those).

    There are some surprising qualified SOC reports out there!  Good luck!