Vendor Risk Assessment - Reading the SOC2 report

Hey there!

If you're a startup health-tech/med-tech/healthcare organization looking to evaluate a SaaS service provider's compliance with HIPAA and other relevant regulations and standards, you might want to consider reviewing their SOC2 Type 2 report. Here's how we review a SOC2 Type 2 report from a SaaS service provider to evaluate compliance for our clients:

First, we work with our clients to make sure that the service provider is a good fit for their needs. This means checking their capabilities, experience, reputation, and compliance with relevant regulations and standards.

Once the client has identified a suitable service provider, we will ask the service provider to send over a copy of their most recent SOC2 Type 2 report. Most service providers either have a way to request the report through their service portal or require a signed NDA. 

The first time we review a SOC report from a service provider we have not reviewed before,  we do read the report it cover to cover. This helps us really understand how the service provider describes their services, and how the auditor addressed the service controls. After the initial read through, we go back and dig a bit deeper into some sections.

We look at the auditor's opinion. This is a key component of the report, and I want to make sure that the service provider's controls are well-designed and operating effectively. We are looking for a “clean” opinion, without any observations if possible.

We also review the system description, which provides detailed information about the service provider's system and the controls they have in place to safeguard client data. This section covers topics like network security, physical security, access controls, and data backup and recovery procedures. We look to align the system description with the specific services our client is using from the provider.

Then, we look at the control objectives and related controls. These describe the specific objectives that the service provider is being evaluated against and the controls they've implemented to achieve those objectives. We want to make sure that these controls align with HIPAA and other relevant regulations and standards. We want to make sure that security and availability principles are covered in the control objectives at a minimum, again relevant to the services used by our client.  This section is usually the most detailed part of the report. We use this section to determine two things. Are the controls appropriate for the services and are there any observations for any of the services. 

If there are any Complementary User Entity Controls (CUECs), we dig into those as well. These are controls that need to be implemented by our client that work alongside the service provider's controls to mitigate risk. We want to make sure that any CUECs are appropriate for the services provided and have been associated with well-designed and effective controls in our clients’ operations.

If a management response section exists in the SOC report, we carefully evaluate this section. This is where the service provider responds to the auditor's findings and any identified areas of improvement. While the management response isn't audited, we still want to read it to understand how the service provider plans to address any identified deficiencies. If management responses exist in the report, it’s important to follow up with the service provider to ensure that planned improvements are still proceeding or have been completed.

Finally, we consider any other relevant information provided by the auditor or service provider.

That's it! Reviewing a SOC2 Type 2 report is an important step in evaluating compliance for our healthcare clients but it's just one part of a larger due diligence process that includes contract negotiations, risk assessments, and ongoing monitoring vendor compliance and updated SOC report.