Audit and Assurance

Expand all | Collapse all

SOC 2 and Contract Modifications?

  • 1.  SOC 2 and Contract Modifications?

    Posted 03 Mar, 2020 10:43
    Hello,
    I have been tasked with reviewing SOC 2 reports and I am curious if anyone has had to change contract language or create an addendum to a vendor contract because of a SOC 2 missing key security policies... or elements that would compromise the C-I-A of data?

    We review all SOC 1 and SOC 2 reports prior to contract execution.

    Any input would be greatly appreciated.

    ------------------------------
    Charles
    ------------------------------


  • 2.  RE: SOC 2 and Contract Modifications?

    Posted 04 Mar, 2020 18:14
    I have been on both sides of this - as an auditor performing SOC 2 audits and as internal audit reviewing SOC 2 reports.  Typically, we never tried to get contracts modified, as that process is cumbersome and it is difficult to get the vendor to agree to it.  If there are specific controls that you are looking for that are missing from the SOC 2 report, then the best approach is to let the vendor know you reviewed the SOC 2 report and did not see specific controls called out.  Depending on the level of comfort you require, you may need to ask for policies or specific evidence to support missing controls.  Having said this,  the vendor can refuse to provide the information.  In that case, you would need to determine how this would impact your risk assessment of using the vendor's services and determine if you are willing to accept the risk.  You could always ask them to include it in future reports as well.

    ------------------------------
    Troy Fine
    Manager
    Schneider Downs
    ------------------------------



  • 3.  RE: SOC 2 and Contract Modifications?

    Posted 04 Mar, 2020 18:28
    Thank you so much for your input.  I do appreciate it!

    Charles

    ------------------------------
    Charles

    ------------------------------