Skip to content

How to Review a SOC Report for IT Services

Mar 20, 2026

Organizations rely heavily on IT service providers to manage critical systems, data, and operational processes. As reliance on third-party vendors increases, so does the need to evaluate their internal controls. Service Organization Control (SOC) reports are one of the most important tools for assessing whether an IT service provider can be trusted to protect your organization’s data and support your compliance obligations. Understanding how to review these reports effectively is essential for vendor risk management, audit readiness, and overall IT governance.

Understanding the Structure of a SOC Report

SOC reports follow a standard structure, making it easier for reviewers to navigate them once familiar with each section. Every SOC report includes an independent auditor’s opinion, the service provider’s management assertion, a detailed system description, and a section outlining controls tested and the audit results.

SOC 1 reports evaluate controls that may impact financial reporting, while SOC 2 reports assess controls related to security, availability, processing integrity, confidentiality, and privacy. Both SOC types may be issued as a Type I (point-in-time assessment) or a Type II (operating effectiveness over a stated period).

Verify Scope and Time Period

Before reviewing the report, ensure the scope and time period are sufficient to meet your organization’s needs. The scope should include all relevant services provided to your organization, and the time period should be recent, ideally within the past 6 to 12 months. If these are insufficient, then the report will fail to provide the needed assurance, and a new audit or a bridge letter may be necessary.

Review the Auditor’s Opinion

The auditor’s opinion sets the tone for the entire report. It indicates whether the auditor believes the controls were appropriately designed, and, in the case of Type II reports, whether they operated effectively during the audit period. Key types of opinions include:

  • An unqualified opinion, indicating no significant issues were identified
  • A qualified opinion, which reveals exceptions that limit assurance
  • An adverse opinion, which signals serious deficiencies
  • A disclaimer, meaning there is insufficient evidence to express an opinion

Reviewing the language in this section helps you determine the level of risk and whether additional inquiry is necessary. An unqualified opinion is the desired outcome.

Review the Management Assertion

The SOC report should include the service provider’s management assertion. This section is critical as it outlines management’s responsibilities and the claims they are making about the system and controls under review. Evaluate management’s confirmation that the system description is accurate and complete, and the scope and boundaries of the system as defined by management. Also assess management’s statement that controls were designed (Type I) and operated effectively (Type II) during the specified period, and review any disclosures or limitations that management identified related to the control environment.

If the assertion includes vague language, exceptions, or limitations, they may indicate areas that require closer attention during your review. A strong assertion should be explicit, transparent, and aligned with your understanding of the services and controls the provider delivers.

Review the System Description

The system description outlines the scope of services included in the audit. It details the technologies, infrastructure, processes, people, and locations covered during the review. This section also explains any limitations or boundaries of the system. As you read it, confirm that the description aligns with your understanding of the services your organization uses. If there is a mismatch, it may indicate that certain critical services were not assessed.

Understand the Control Objectives or Trust Services Criteria

The controls included in the report depend on the SOC type: SOC 1 focuses on control objectives related to financial reporting, while SOC 2 uses the trust services criteria, which focus on security, availability, processing integrity, confidentiality, and privacy. Review these criteria to ensure they address the risks relevant to your organization. For example, if data confidentiality is a primary concern, ensure that area is included.

Evaluate the Testing of Controls and Auditor Results

The heart of the SOC report lies in the auditor’s testing. This section discloses how each control was tested and whether any exceptions were found. Common testing methods include inquiry, inspection, observation, and re-performance. Pay attention to the number and nature of exceptions, whether exceptions were one-off events or recurring issues, the severity of any deficiencies, and management’s response or remediation steps.

Even small exceptions can matter depending on the service provided. Understanding the results helps you assess whether risks have been appropriately managed.

Assess Complementary User Entity Controls

Complementary User Entity Controls (CUECs) identify activities your organization must perform for the controls in the report to function as intended. These may include implementing strong password policies, maintaining network monitoring, or controlling user access. Reviewing CUECs is essential to determine whether your own internal practices support the effectiveness of the vendor’s controls. If your organization has not implemented the required controls, your overall risk increases even if the vendor’s audit results appear strong.

Examine Subservice Organizations and Carve-Outs

Many IT service providers rely on additional third-party vendors, or subservice organizations. The SOC report may use an inclusive approach (testing those controls) or a carve-out approach (excluding those controls). Carve-outs can create visibility gaps, especially when sub-vendors perform critical functions.

If key services rely on sub-vendors that were carved out, request their SOC reports or additional documentation to fully understand associated risks.

Evaluating Overall Risk and Impact

After reviewing all components, determine what the findings mean for your organization. Consider whether exceptions affect your use of the service, whether existing internal controls mitigate identified risks, and whether the vendor has appropriate remediation plans.

Mapping these insights into your organization’s risk management framework ensures a consistent and thorough evaluation.

Putting SOC Reports to Work

Reviewing a SOC report is an essential step in evaluating the reliability and security of IT service providers. By understanding the report's structure, analyzing the auditor’s findings, and assessing their findings, your organization can make informed decisions that support strong governance and risk management.

If you have questions or would like guidance on reviewing a SOC report, reach out to your CRI advisor to ensure you have the right tools and insight to evaluate risks confidently.  

Relevant insights

Join Our Conversation

Subscribe to our e-communications to receive the latest accounting and advisory news and updates impacting you and your business.

This field is for validation purposes and should be left unchanged.

By proceeding, you are agreeing to the terms and conditions in the Carr, Riggs and Ingram Privacy Policy. This form submission acts as your acknowledgment to receive occasional email updates, news and promotions from Carr, Riggs & Ingram.