Tips for Good Management Responses to Testing Exceptions in SOC 2 Reports

Tips for Good Management Responses to Testing Exceptions in SOC 2 Reports

Posted on

SOC COMPLIANCE

By Christopher Moschella, CPA, CISA, Risk Advisory Services Senior Manager

Management Responses in Section IV of Service Organization Control Type 2 Reports

Section IV of a SOC 2 report is titled, Trust Services Category, Criteria, Related Controls, and Test of Controls. It presents the organization’s controls as well as a description of the procedures performed by the auditor and their results. For example, here is a depiction of what an excerpt might look like.

CC8.8 – The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity’s objectives.

Control #ControlProcedureResult
8.8.1Anti-virus software is installed on all workstations and is configured to automatically receive updated virus definitions.For a sample of workstations, verified that anti-virus software is installed and configured to update automatically.Exception noted.

Exception Detail: We noted two of 25 workstations that did not have anti-virus installed and 4 of 25 that were not configured for automatic updates.

8.8.2Email filters are configured to scan all inbound email for malware.Observed the configuration of email filters.No exceptions noted.

It is common for SOC 2 reports to contain findings from the auditors, even with reports that feature clean opinions. The presence of exceptions noted in Section IV does not alone indicate that the service organization received a modified opinion. Nevertheless, it is important for management to issue a response to each finding.

Management responses are included in Section V – Other Information Provided by the Service Organization that is Not Covered by the Service Auditor’s Report. A response to an exception could be displayed as follows:

CC8.8 – The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity’s objectives.

Control #Control and ExceptionManagement's Response
8.8.1Control
Anti-virus software is installed on all workstations and is configured to automatically receive updated virus definitions.

Exception
We noted two of 25 workstations that did not have anti-virus installed and 4 of 25 that were not configured for automatic updates.
Management has taken the following remediating actions:
-Installed software on the machines discovered to have not had anti-virus installed
-Updated the machines with improper anti-virus update settings
-Developed plans to perform a full reconciliation of all networked workstations to ensure they have anti-virus

How to Craft Good Management Responses

It is important to convey to the readers of your SOC report that you take the auditor’s findings seriously. They should be free from grammatical error and indicate that the service organization has a strong grasp of the exception. The best management responses have the following characteristics:

  • Demonstrate that the organization has plans to address immediate items discovered by the auditor
  • Demonstrate that the organization has or is developing plans to address the causes that gave rise to the exception

In the example response above, the service organization is communicating that as of the report issuance date, they had already addressed the sampled workstations that contained exceptions. Additionally, they have plans to implement a monitoring control, the lack of which increased the likelihood of anti-virus policy non-compliance.

Section V is Unaudited

As is indicated in the title of Section V, the contents of this section are unaudited. Nevertheless, the auditor will read what the service organization is communicating via this disclosure, and if there are material misstatements of fact, the auditor will require the language be changed. If it isn’t changed, the auditor will either modify the Independent Service Auditor’s Report (Section I) to indicate the misstatement or they could go as far as to withdraw from the engagement.

Conclusion

During the course of the audit, it is not uncommon for your service auditor to find testing exceptions. Those exceptions, even if they do not result in a modified opinion, are disclosed in Section IV of the report. However, that disclosure is not the end of the story. Management has an opportunity to respond to the exceptions in Section V of the report.

It is important for Management Responses to Exceptions to indicate to readers of the report that service organization management takes the exceptions seriously and has or plans to take steps to address the immediate samples with exceptions discovered by the auditors and to craft plans to address the root cause which gave rise to the exceptions.

Are you considering a SOC report and trying to figure out the right report for you? Keiter’s team of Risk Advisory Services professionals can help you. Email | Call: 804.747.0000


About the Author

Chris is a Senior Manager in Keiter’s Risk Advisory Services. Chris has a strong combination of IT skills, which range from IT audit and internal control assessments, including general computer controls and application controls, to full stack web development. Most recently, Chris developed a Cybersecurity web application that assesses an organization’s resistance to social engineering attacks. Chris shares his cybersecurity insights on our blog.

More Insights from Christopher Moschella, CPA, CISA


The information contained within this article is provided for informational purposes only and is current as of the date published. Online readers are advised not to act upon this information without seeking the service of a professional accountant, as this article is not a substitute for obtaining accounting, tax, or financial advice from a professional accountant.

Contact

How Can We Help You and Your Business?

Innsbrook Corporate Center
4401 Dominion Boulevard
Glen Allen, Virginia 23060

804.747.0000 or 804.273.6200

Directions