2023 SOC Benchmark Study: How Does Your SOC Report Rate Versus Your Peers?

In this era of escalating cyber threats, companies are doubling down on fortifying their digital fortresses. Protecting sensitive data — both organizational and customer-related — has become a paramount concern. But the million-dollar question is: If you have secured your own systems but have not vetted the cybersecurity measures of your third-party vendors, can you truly claim your data is safe?

The modern corporate landscape is seeing a growing wave of outsourcing, turning it into a staggering $85 billion industry. With companies increasingly relying on third-party partners to handle vital operations and safeguard confidential data, the potential risks have skyrocketed.

Enter the role of SOC reports. These crucial assessments are the compass that points businesses toward the safest outsourcing paths. CBIZ & MHM’s upcoming 2023 SOC Benchmark Study, “Benchmarking Your SOC Compliance Framework,” is a beacon in this territory, offering insights to service providers on enhancing their SOC reports for maximized efficiency and optimal customer satisfaction.

Stay tuned: Over the next two months, we will provide an overview of some of our key findings and insights from the review.

What You’ll Learn

Our 2023 SOC Benchmark Study offers a comprehensive analysis for organizational leaders invested in improving SOC reporting practices. Drawing from an extensive review of over 150 SOC 1 and SOC 2 reports across various industries and business sizes, this study provides valuable insights into common challenges and areas of concern in current reporting methodologies.

In addition to highlighting prevalent control failures and report qualifications, the research delves deeply into nuanced elements often overshadowed in standard reviews. We aim to equip professionals like you with the knowledge and understanding required to refine and elevate your existing SOC program, ensuring accuracy, clarity, and efficiency in future reporting endeavors.

Key Findings We’ve Uncovered In Our SOC Benchmark Study

Our study reveals that not all SOC reports are created equal. In today’s uncertain economic climate, this diversity in reporting is to be expected. Let’s look at a few specifics.

Control Count Comparison

Everyone who receives a SOC report wants to know if they are doing too much or too little. Our study found that SOC 1 reports varied significantly in their overall control count (13-337). SOC 2 proved to be a bit easier to evaluate.

SOC 1 reports vary because they are based on the nature of the scope of the services reviewed. SOC 2, on the other hand, operates under a prescribed framework, so entities should have a more consistent control count.

SOC 2 control counts can still vary due to the differences in the number of categories selected. However, since nearly all SOC 2 reports operate under the common criteria (security category), this provides a consistent basis for comparison.

Surprisingly, even here, we found control counts for security to range from 30 to 209. The average was 86, although our experience has shown that 55-60 is probably the most common.

Subservice Providers

Of the 154 reports studied, 82% of service providers used sub-service providers for operations. Of these, 95% opted for the carve-out method, which excludes the sub-service controls from the report. This is expected, as the inclusive model requires both the service and sub-service entities to agree to participate in the review. Large cloud sub-service providers like Amazon are not likely to want to participate in every one of their customers’ reviews, so they would necessitate a carve-out model. Typically, you would only see inclusive models used in instances where both parties have an aligned goal and there is convenience in the usage of the inclusive model (e.g., where the service and sub-service entities operate in a parent-child relationship).

Some surprising takeaways from the sub-service provider category were:

• Only 82% of entities listed a sub-service provider. Considering the dependencies of companies on outsourced providers and the increased usage of cloud providers, we anticipated this figure to be nearly 100%.
• Numerous reports did not list the names of the sub-service providers. In instances where this is observed in reports users are reviewing, we highly encourage companies to reach out to their service provider and inquire for further information. Why is the entity not sharing the vendors they work with? Is the firm possibly a less reputable provider, and do they perhaps not have a SOC report of their own? You inherit the risks of the sub-service providers, and thus, you should be aware of the related risks of these providers.

Control

Reports with and without exceptions were almost perfectly split 50/50, with the average report showing 2.7 exceptions. The most common areas of these exceptions included:

• Lack of evidence of business review/approval (18%)
• Non-performance of user access reviews (15%)
• Change management (14%)
• Untimely revocation of terminated users (13%)

As SOC 1 reports are heavily weighted with controls around business review and approval, it made sense that there would be a higher number of exceptions in this area.

One area of surprise was the fact that the next most common area for exceptions was physical access, primarily in SOC 1. Since Sarbanes-Oxley (SOX) has not considered physical access a key financial control for about ten years, why would a SOC 1 (arguably performed to support SOX) have physical access in scope?

Coming Soon

Next month, we will delve into further insights, including the usage of internal audits, system descriptions and issuance periods. While some of these may be areas many reviewers may not consider as part of their review process, each provided some interesting insights and considerations.