Scribd Logo
Carica

Benvenuto in Scribd!

  • SOC Report Review Tool - SOC Report Review Template

    Caricato da

    Lekia Wise
    1K visualizzazioni1 pagina
    SOC Report Review Template

    Copyright

    © © All Rights Reserved

    Formati disponibili

    PDF, TXT o leggi online da Scribd

    Hai trovato utile questo documento?

    Questo contenuto è inappropriato?

    Segnala questo documento
    SOC Report Review Template

    Copyright:

    © All Rights Reserved
    Scarica in formato PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    1K visualizzazioni1 pagina

    SOC Report Review Tool - SOC Report Review Template

    Caricato da

    Lekia Wise
    SOC Report Review Template

    Copyright:

    © All Rights Reserved
    Scarica in formato PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    di 1

    SOC Report Review Template (V1.

    0)
    Vendor Name:
    Vendor Contract / PO Number:
    Reviewer Name:
    Business Unit / Cost Center:
    Date Report Provided by Vendor:
    Date or Date Range of Report
    Date Reviewed:
    Review
    Item Description and / or Suggested Action Comments / Notes
    Response

    1 SOC Report Category and Type


    Review the contract to determine the SOC report category to be provided by the vendor.
    Generally, the vendor will be required to provide a SOC 1 and / or SOC 2 report (and not a
    SOC 3 report). If you did not receive the correct SOC report category, contact the vendor
    and ask that they provide you with the correct SOC report category. You only need to
    review the SOC 2 report. If you received a SOC 3 report along with a SOC 1 and / or SOC 2
    1.1 Is it a SOC 1, SOC 2, or SOC 3? report, you do not need to review the SOC 3 report.
    Review the contract to determine the SOC report type to be provided by the vendor.
    Generally, the vendor will be required to provide a SOC Type 2 report (and not a SOC
    Type 1 report). If you did not receive the correct SOC report type, contact the vendor and
    ask that they provide you with the correct SOC report type. If you received a SOC Type 1
    1.2 Is it a Type 1 or Type 2? report along with a SOC Type 2 report, you do not need to review the SOC Type 1 report.
    2 Report Date
    First, determine if a SOC Type 1 report is the correct type (generally, the vendor will be
    required to provide a SOC Type 2 report). If you did not receive the correct SOC report
    type, contact the vendor and ask that they provide you with the correct SOC report type.
    If a SOC Type 1 report is the correct type and the "as of date" is not within the past 12-
    months, contact the vendor and ask that they provide you with a current report or a
    "bridge" or "gap" letter. If you encounter difficulties in obtaining the correct report,
    2.1 Type 1: Is the report "as of date" within the past 60-days? contact the Vendor Management Office for assistance.
    If no, contact the vendor and ask that they provide with a current report or a "bridge" or
    "gap" letter. If you encounter difficulties in obtaining a current report or a "bridge" or
    2.2 Type 2: Is the "end of the review period" within the past 60-days? "gap" letter, contact the Vendor Management Office for assistance.
    2.3 If either of the report dates as described above are older than 60-days from If you've asked the vendor for a "bridge" or "gap" letter because the vendor is unable to
    the date of receipt, has the vendor provided a "bridge" or "gap" letter to provide you with a recent report and the vendor isn't being responsive to your request,
    provide current coverage? contact the Vendor Management Office for assistance.
    3 Service Auditor's Opinion
    3.1 Does the independent service auditor report indicate whether the
    description of the service organization's system is fairly presented?
    3.2 Does the independent service auditor report state that controls were If there are any negative (or what you perceive to be negative) comments, contact the
    designed appropriately? Vendor Management Office for assistance
    3.3 Does the independent service auditor report state that controls were
    operating effectively?
    4 Testing Exceptions
    4.1 Were there any testing exceptions in the report? If there were any testing exceptions indicated, even if management provided a response
    4.2 If yes, did management provide responses for remediation? for remediation, contact the Vendor Management Office for assistance.
    5 Complementary Controls at User Entity
    If yes, ensure that you document the controls that you are responsible for. These can be
    5.1 Are there any user entity controls that you are responsible for as the documented in your contract file. Ensure that you are managing and monitoring the
    Contract Manager? controls that you are responsible for.

    5.2 Are there any user entity controls that you are unsure whether you are
    responsible for? If yes, contact the Vendor Management Office for assistance.
    5.3 Are there any user entity controls that you are unsure whether or not
    [Customer Company] has implemented or that you would like more
    information on? If yes, contact the Vendor Management Office for assistance.

    Potrebbero piacerti anche