How Internal Audit Can Assist with SOC Reviews at Higher Education Institutions

Higher Education, Risk Advisory/Internal Audit, SOC
by Andrew Jackson
share with a colleague Download PDF

With the rise of cloud computing and software-as-a-service (SaaS) playing a key role within higher education institutions, outsourcing certain functions to third parties is becoming more frequent.

Since third parties are being held accountable for providing services, computing, processing, storage and the protection of customer data, higher education institutions are requiring these third parties to complete a System and Organization Controls (SOC) report, or similar, prior to engagement.  Depending on the services being provided by the third party, a different report might be provided.  

SOC 1 reports are specifically intended to meet the needs of entities that use service organizations (user entities) in evaluating the effect of the controls at the service organization on the user entities’ financial statements. SOC 2 reports are designed to provide assurance for the security, processing integrity, availability, confidentiality, and/or privacy of other services provided by a service organization that does not impact the user entities’ financial statements.  Service organizations are held to a standardized set of control criteria for each of the categories covered in the report.  

SOC reports can be classified as either a Type 1 report or a Type 2 report.  Type 1 reports represent a point-in-time and only opine on the design of the controls at the time at which the report was completed.  Type 2 reports represent a period over time and reflect the operating effectiveness of controls throughout the review period.  Thus, Type 1 reports provide less assurance of third-party controls, and the Type 2 reports are typically required to provide a greater level of assurance.  If no report is available, a third-party security questionnaire should be provided to these third parties to be completed and returned.

SOC reports should be reviewed on a frequency commensurate with the criticality of a third party.  Criticality of third parties depends on many attributes including, without limitation, on the type of data they receive, the type of access they have to your network, the institution’s Recovery Time and/or Point Objective (RTO and RPO), which should be based on a Business Impact Analysis (BIA).  A good rule of thumb is that all critical and high-risk third party SOC reports should be reviewed annually, moderate risk third parties should be biennial, and low risk subservice organizations should be triennial.  

With this process of reviewing SOC reports growing as the industry standard, some higher education institutions might not be staffed and/or prepared to complete the tens to hundreds of SOC reports that require regular review.  This is where the Internal Audit function at institutions is proven to be a natural fit. For example, our Risk Advisory team issues hundreds of SOC reports annually, and therefore, maintains a deep understanding of SOC report requirements. SOC reports are not built equally, so having a trusted SOC expert to perform the review of other reports brings the assurance process full circle and produces otherwise unrealized value-added recommendations.

As part of Schneider Downs’ SOC report review process, we review the following areas to verify the security of the higher education institution’s third parties. You can also use the AICPA’s SOC Report Review Template to guide your review (Download it at schneiderdowns.com/TPRM) or reference “How to Review a Vendor’s SOC Report”: 

  • Opinion
  • Period Covered by the Report
  • Scope of Report
  • Types of Testing
  • Complementary User Entity Controls (CUECs)
  • Complementary Subservice Organization Controls (CSOCs)
  • Control Objectives (SOC 1) and Trust Services Criteria (SOC 2)
  • Audit Firm Reputation
  • Subservice Organizations
  • Results of Testing

Once the review of the report is complete, Internal Audit also assesses the CUECs and CSOCs by leveraging other audits performed for the institution. Complementary controls are essential to ensure the third party’s controls operate effectively, so the practice of mapping them to an institution’s internal controls allows for a true gap analysis to be performed. 

In summary, utilizing the Internal Audit function to perform third-party assessments is a practical approach for assessing and monitoring the controls of third parties and allows your institution to further focus on achieving its core mission.

 

You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at [email protected].

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2024 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

our thoughts on
Cybersecurity, IT Risk Advisory, Risk Advisory/Internal Audit BY Nathan Shepler
8 Key Considerations When Reviewing User Access
read more >
Financial Services, Risk Advisory/Internal Audit BY Marcy King
Enhancing Focus on Risk Management and Consumer Protection
read more >
Financial Services, Fraud/Investigative & Forensic Accounting, Risk Advisory/Internal Audit BY Tyler Caven
Controlling Wire Fraud in the Financial Industry
read more >
Risk Advisory/Internal Audit BY Brendan Leech
The Top Risks Internal Audit Leaders Need to Know for 2024
read more >
IT Risk Advisory, Risk Advisory/Internal Audit, SOC 2 BY Nicholas DeLuca
SOC 2 Terminology: Vendor vs Subservice Organization vs Subcontractor vs Third Party vs Nth Party
read more >
Higher Education BY Patrick Kerns
Preparing for Financial Responsibility Rule Changes
read more >
Register to receive our weekly newsletter with our most recent columns and insights.
subscribe for updates
most recent
Investment Corner with Jason & Sean: U.S. Small Cap Equities
Wealth Management
By Jason Staley | 4.23.2024

Learn more about the comprehensive history of technology and how it has directly shaped the realm of investing. ...

read more
most popular
Dynamics 365 Business Central 2024 Release Wave 1: Top 5 Features
Consulting, Digital & Technology
By Michael Scalamogna | 4.23.2024

Learn more about the top five new artificial intelligence features of wave one of the 2024 release of Dynamics 365 Business Central. ...

read more
Have a question? Ask us!

We’d love to hear from you. Drop us a note, and we’ll respond to you as quickly as possible.

Ask us
contact us
Pittsburgh
Columbus
Metropolitan Washington
Image of Prime Global Logo
follow us client portal

This site uses cookies to ensure that we give you the best user experience. Cookies assist in navigation, analyzing traffic and in our marketing efforts as described in our Privacy Policy.

×
Accept