A System and Organizational Controls (SOC) report is the result of a third-party independent audit to determine the status and reliability of internal controls. Put simply, it lets you know if a financial institution has effective risk management controls in place.
A SOC report contains a lot of information, but vendor due diligence requires much more than reviewing a SOC report.
As a vendor management tool, a SOC report offers an initial view into a vendor’s security posture. It lets you know what controls are in place and how much they are tested. A light SOC report doesn’t mean a company has a poor or no security posture. More questions are necessary to assess risk.
SOC reports provide a good starting point for you to dig deeper. For example, the SOC might show that a company has an anti-spam solution installed and consider that an effective cyber control. But a quick scan using a security monitoring tool might uncover that it’s still possible to spoof that vendor’s domain and phish your institution.
Read also: Vendor Management: What the Fed Really Wants
That’s why it’s important to review other due diligence documentation for vendors, in addition to SOC reports. The Federal Reserve, Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency (OCC) provide the following examples of due diligence documentation in Conducting Due Diligence on Financial Technology Companies: A Guide for Community Banks, among others:
These documents will allow your institution to conduct a thorough risk assessment that gives you a clear picture of the risks of working with a particular vendor. Failing to undertake research may leave your institution exposed to third-party breaches and other operational risks.
Read also: Outsource Marketing Activities? Make Sure You Have a Vendor Management Program
Nothing is a replacement for a SOC report. It has a specific, important purpose: telling you the story of a third-party vendor so you know what other questions to ask and where to dig deeper.
But it’s not everything, so don’t let it be.
Want to learn more about third-party vendor management?