Tech Fair Highlight: Gaining a Quick Understanding of a SOC 2 Audit Report
At the recent Direct LTx Tech Fair we brought together experts from different areas of IT infrastructure, cloud, and technology to present ideas and information to our customers, sponsors, and colleagues from across the local business technology ecosystem. In the upcoming weeks, we’ll be sharing with you highlights of some of the high-quality content shared by our presenters and enjoyed by attendees.
One of the presentations was by Dave Hammarberg of McKonly & Asbury, a Pennsylvania-based CPA and advisory firm that Direct LTx engages for our SOC 2 auditing and reporting.
McKonly & Asbury’s presentation at the Direct LTx Tech Fair focused on what to do if you only have 15 minutes to review and evaluate a SOC 2 report. Dave showed a pathway to get a solid understanding of a company’s infrastructure availability and risk management in that short period of time by utilizing a method he calls PRESTO.
PRESTO is an acronym representing Principles, Response, Exceptions, Scope, Time Period, and Opinion.
Principles identify which trust services principles are being used in the report. Are they the principles that matter to your organization? Does this SOC 2 report provide confidence that the controls at your organization, coupled with those of the audited service organization, will be effective?
Response from management, while not required, is generally found in the last section of the report when exceptions are noted. Are you comfortable with those responses? Does it lead to more questions?
Exceptions should be reviewed to determine if they are important to your organization. What is the potential impact and are you comfortable with them?
Scope is important to understand. Does the scope of the SOC 2 report align with the way your organization will consume the services of the SOC 2 audited company? Does it cover areas you would like to see addressed in a third-party audit? Is it a Type 2 report that covers operating effectiveness of controls, or simply a Type 1?
Time Period should be identified and understood. A SOC 2 report that is more than three months old is generally considered stale. Is the time-period recent? Are you comfortable it covers the concerns and issues emerging in the current security environment?
Opinion is the evaluation of the auditor. A clean (or unmodified) opinion indicates that the service auditor found no issues noted during the audit that would cause a modification of the opinion. If there are significant exceptions or issues the SOC 2 may receive a qualified report. Did the auditors give a clean opinion? Why or why not? Does the reason it is labeled a qualified report matter to your organization?
The PRESTO guideline from McKonly and Asbury is a helpful structure to gaining a quick understanding of a SOC 2 report and we thank Dave for his participation in our event. For an introduction to Dave or to discuss the SOC 2 report issued to Direct LTx email sales@directltx.com.